.

.github/dependabot.yml

@@ -1,20 +0,0 @@
----
-version: 2
-
-updates:
-- package-ecosystem: "npm"
-  directory: "/"
-  schedule:
-    interval: "weekly"
-  groups:
-    minor-npm-dependencies:
-      # NPM: Only group minor and patch updates (we want to carefully review major updates)
-      update-types: [minor, patch]
-- package-ecosystem: "github-actions"
-  directory: "/"
-  schedule:
-    interval: "weekly"
-  groups:
-    minor-actions-dependencies:
-      # GitHub Actions: Only group minor and patch updates (we want to carefully review major updates)
-      update-types: [minor, patch]

.github/workflows/check-dist.yml

@@ -22,12 +22,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v3
 
-      - name: Set Node.js 24.x
-        uses: actions/setup-node@v4
+      - name: Set Node.js 16.x
+        uses: actions/setup-node@v1
         with:
-          node-version: 24.x
+          node-version: 16.x
 
       - name: Install dependencies
         run: npm ci
@@ -44,7 +44,7 @@ jobs:
           fi
 
       # If dist/ was different than expected, upload the expected version as an artifact
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v2
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}
         with:
           name: dist

.github/workflows/codeql-analysis.yml

@@ -39,10 +39,10 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@v3
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v1
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -55,4 +55,4 @@ jobs:
     - run: rm -rf dist # We want code scanning to analyze lib instead (individual .js files)
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v1

.github/workflows/licensed.yml

@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     name: Check licenses
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v3
       - run: npm ci
       - run: npm run licensed-check

.github/workflows/publish-immutable-actions.yml

@@ -1,20 +0,0 @@
-name: 'Publish Immutable Action Version'
-
-on:
-  release:
-    types: [published]
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-
-    steps:
-      - name: Checking out
-        uses: actions/checkout@v6
-      - name: Publish
-        id: publish
-        uses: actions/publish-immutable-action@v0.0.4

.github/workflows/test.yml

@@ -7,19 +7,14 @@ on:
       - main
       - releases/*
 
-
-# Note that when you see patterns like "ref: test-data/v2/basic" within this workflow,
-# these refer to "test-data" branches on this actions/checkout repo.
-# (For example, test-data/v2/basic -> https://github.com/actions/checkout/tree/test-data/v2/basic)
-
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v1
         with:
-          node-version: 24.x
-      - uses: actions/checkout@v6
+          node-version: 16.x
+      - uses: actions/checkout@v3
       - run: npm ci
       - run: npm run build
       - run: npm run format-check
@@ -37,7 +32,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v3
 
       # Basic checkout
       - name: Checkout basic
@@ -77,64 +72,6 @@ jobs:
         shell: bash
         run: __test__/verify-side-by-side.sh
 
-      # Filter
-      - name: Fetch filter
-        uses: ./
-        with:
-          filter: 'blob:none'
-          path: fetch-filter
-
-      - name: Verify fetch filter
-        run: __test__/verify-fetch-filter.sh
-
-      # Fetch tags
-      - name: Checkout with fetch-tags
-        uses: ./
-        with:
-          ref: test-data/v2/basic
-          path: fetch-tags-test
-          fetch-tags: true
-      - name: Verify fetch-tags
-        shell: bash
-        run: __test__/verify-fetch-tags.sh
-
-      # Sparse checkout
-      - name: Sparse checkout
-        uses: ./
-        with:
-          sparse-checkout: |
-            __test__
-            .github
-            dist
-          path: sparse-checkout
-
-      - name: Verify sparse checkout
-        run: __test__/verify-sparse-checkout.sh
-
-      # Disabled sparse checkout in existing checkout
-      - name: Disabled sparse checkout
-        uses: ./
-        with:
-          path: sparse-checkout
-
-      - name: Verify disabled sparse checkout
-        shell: bash
-        run: set -x && ls -l sparse-checkout/src/git-command-manager.ts
-
-      # Sparse checkout (non-cone mode)
-      - name: Sparse checkout (non-cone mode)
-        uses: ./
-        with:
-          sparse-checkout: |
-            /__test__/
-            /.github/
-            /dist/
-          sparse-checkout-cone-mode: false
-          path: sparse-checkout-non-cone-mode
-
-      - name: Verify sparse checkout (non-cone mode)
-        run: __test__/verify-sparse-checkout-non-cone-mode.sh
-
       # LFS
       - name: Checkout LFS
         uses: ./
@@ -176,22 +113,6 @@ jobs:
       - name: Verify submodules recursive
         run: __test__/verify-submodules-recursive.sh
 
-      # Worktree credentials
-      - name: Checkout for worktree test
-        uses: ./
-        with:
-          path: worktree-test
-      - name: Verify worktree credentials
-        shell: bash
-        run: __test__/verify-worktree.sh worktree-test worktree-branch
-
-      # Worktree credentials in container step
-      - name: Verify worktree credentials in container step
-        if: runner.os == 'Linux'
-        uses: docker://bitnami/git:latest
-        with:
-          args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch
-
       # Basic checkout using REST API
       - name: Remove basic
         if: runner.os != 'windows'
@@ -217,7 +138,7 @@ jobs:
   test-proxy:
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/actions/test-ubuntu-git:main.20240221.114913.703z
+      image: alpine/git:latest
       options: --dns 127.0.0.1
     services:
       squid-proxy:
@@ -229,7 +150,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v3
 
       # Basic checkout using git
       - name: Checkout basic
@@ -261,7 +182,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v3
 
       # Basic checkout using git
       - name: Checkout basic
@@ -291,13 +212,13 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v3
         with:
-          path: localClone
+          path: v3
 
       # Basic checkout using git
       - name: Checkout basic
-        uses: ./localClone
+        uses: ./v3
         with:
           ref: test-data/v2/basic
       - name: Verify basic
@@ -318,40 +239,7 @@ jobs:
           git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
 
       # needed to make checkout post cleanup succeed
-      - name: Fix Checkout v6
-        uses: actions/checkout@v6
+      - name: Fix Checkout v3
+        uses: actions/checkout@v3
         with:
-          path: localClone
-
-  test-output:
-    runs-on: ubuntu-latest
-    steps:
-      # Clone this repo
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          path: actions-checkout
-
-      # Basic checkout using git
-      - name: Checkout basic
-        id: checkout
-        uses: ./actions-checkout
-        with:
-          path: cloned-using-local-action
-          ref: test-data/v2/basic
-
-      # Verify output
-      - name: Verify output
-        run: |
-          echo "Commit: ${{ steps.checkout.outputs.commit }}"
-          echo "Ref: ${{ steps.checkout.outputs.ref }}"
-
-          if [ "${{ steps.checkout.outputs.ref }}" != "test-data/v2/basic" ]; then
-            echo "Expected ref to be test-data/v2/basic"
-            exit 1
-          fi
-
-          if [ "${{ steps.checkout.outputs.commit }}" != "82f71901cf8c021332310dcc8cdba84c4193ff5d" ]; then
-            echo "Expected commit to be 82f71901cf8c021332310dcc8cdba84c4193ff5d"
-            exit 1
-          fi
+          path: v3

.github/workflows/update-main-version.yml

@@ -1,5 +1,5 @@
 name: Update Main Version
-run-name: Move ${{ github.event.inputs.major_version }} to ${{ github.event.inputs.target }}
+run-name: Move ${{ github.event.inputs.main_version }} to ${{ github.event.inputs.target }}
 
 on:
   workflow_dispatch:
@@ -7,30 +7,24 @@ on:
       target:
         description: The tag or reference to use
         required: true
-      major_version:
+      main_version:
         type: choice
-        description: The major version to update
+        description: The main version to update
         options:
-          - v5
-          - v4
           - v3
-          - v2
 
 jobs:
   tag:
     runs-on: ubuntu-latest
     steps:
-    # Note this update workflow can also be used as a rollback tool.
-    # For that reason, it's best to pin `actions/checkout` to a known, stable version
-    # (typically, about two releases back).
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v3
       with:
         fetch-depth: 0
     - name: Git config
       run: |
-        git config user.name "github-actions[bot]"
-        git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+        git config user.name github-actions
+        git config user.email github-actions@github.com
     - name: Tag new target
-      run: git tag -f ${{ github.event.inputs.major_version }} ${{ github.event.inputs.target }}
+      run: git tag -f ${{ github.event.inputs.main_version }} ${{ github.event.inputs.target }}
     - name: Push new tag
-      run: git push origin ${{ github.event.inputs.major_version }} --force
+      run: git push origin ${{ github.event.inputs.main_version }} --force

.github/workflows/update-test-ubuntu-git.yml

@@ -1,59 +0,0 @@
-name: Publish test-ubuntu-git Container
-
-on:
-  # Use an on demand workflow trigger.  
-  # (Forked copies of actions/checkout won't have permission to update GHCR.io/actions, 
-  #  so avoid trigger events that run automatically.)
-  workflow_dispatch:
-    inputs:
-      publish:
-        description:  'Publish to ghcr.io? (main branch only)'
-        type: boolean
-        required: true
-        default: false
-
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: actions/test-ubuntu-git
-
-jobs:
-  build-and-push-image:
-    runs-on: ubuntu-latest
-    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
-    permissions:
-      contents: read
-      packages: write
- 
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      # Use `docker/login-action` to log in to GHCR.io. 
-      # Once published, the packages are scoped to the account defined here.
-      - name: Log in to the ghcr.io container registry
-        uses: docker/login-action@v3.3.0
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Format Timestamp
-        id: timestamp
-        # Use `date` with a custom format to achieve the key=value format GITHUB_OUTPUT expects.
-        run: date -u "+now=%Y%m%d.%H%M%S.%3NZ" >> "$GITHUB_OUTPUT"
-
-      - name: Issue Image Publish Warning
-        if:  ${{ inputs.publish && github.ref_name != 'main' }}
-        run: echo "::warning::test-ubuntu-git images can only be published from the actions/checkout 'main' branch.  Workflow will continue with push/publish disabled."
-
-      # Use `docker/build-push-action` to build (and optionally publish) the image. 
-      - name: Build Docker Image (with optional Push)
-        uses: docker/build-push-action@v6.5.0
-        with:
-          context: .
-          file: images/test-ubuntu-git.Dockerfile
-          # For now, attempts to push to ghcr.io must target the `main` branch.
-          # In the future, consider also allowing attempts from `releases/*` branches.
-          push: ${{ inputs.publish && github.ref_name == 'main' }}
-          tags: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}.${{ steps.timestamp.outputs.now }}

.licensed.yml

@@ -12,4 +12,3 @@ allowed:
 
 reviewed:
   npm:
-    - "@actions/http-client" # MIT

CHANGELOG.md

@@ -1,135 +1,5 @@
 # Changelog
 
-## v7.0.0
-* Block checking out fork PR for pull_request_target and workflow_run by @aiqiaoy in https://github.com/actions/checkout/pull/2454
-* Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @dependabot[bot] in https://github.com/actions/checkout/pull/2458
-* Bump flatted from 3.3.1 to 3.4.2 by @dependabot[bot] in https://github.com/actions/checkout/pull/2460
-* Bump js-yaml from 4.1.0 to 4.2.0 by @dependabot[bot] in https://github.com/actions/checkout/pull/2461
-* Bump @actions/core and @actions/tool-cache and Remove uuid by @dependabot[bot] in https://github.com/actions/checkout/pull/2459
-* upgrade module to esm and update dependencies by @aiqiaoy in https://github.com/actions/checkout/pull/2463
-* Bump the minor-npm-dependencies group across 1 directory with 3 updates by @dependabot[bot] in https://github.com/actions/checkout/pull/2462
-
-## v6.0.3
-* Fix checkout init for SHA-256 repositories by @yaananth in https://github.com/actions/checkout/pull/2439
-* fix: expand merge commit SHA regex and add SHA-256 test cases by @yaananth in https://github.com/actions/checkout/pull/2414
-
-## v6.0.2
-* Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in https://github.com/actions/checkout/pull/2356
-
-## v6.0.1
-* Add worktree support for persist-credentials includeIf by @ericsciple in https://github.com/actions/checkout/pull/2327
-
-## v6.0.0
-* Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
-* Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
-
-## v5.0.1
-* Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301
-
-## v5.0.0
-* Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
-
-## v4.3.1
-* Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305
-
-## v4.3.0
-* docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
-* Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
-* Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043
-* Adjust positioning of user email note and permissions heading by @joshmgross in https://github.com/actions/checkout/pull/2044
-* Update README.md by @nebuk89 in https://github.com/actions/checkout/pull/2194
-* Update CODEOWNERS for actions by @TingluoHuang in https://github.com/actions/checkout/pull/2224
-* Update package dependencies by @salmanmkc in https://github.com/actions/checkout/pull/2236
-
-## v4.2.2
-* `url-helper.ts` now leverages well-known environment variables by @jww3 in https://github.com/actions/checkout/pull/1941
-* Expand unit test coverage for `isGhes` by @jww3 in https://github.com/actions/checkout/pull/1946
-
-## v4.2.1
-* Check out other refs/* by commit if provided, fall back to ref by @orhantoy in https://github.com/actions/checkout/pull/1924
-
-## v4.2.0
-
-* Add Ref and Commit outputs by @lucacome in https://github.com/actions/checkout/pull/1180
-* Dependency updates by @dependabot- https://github.com/actions/checkout/pull/1777, https://github.com/actions/checkout/pull/1872
-
-## v4.1.7
-* Bump the minor-npm-dependencies group across 1 directory with 4 updates by @dependabot in https://github.com/actions/checkout/pull/1739
-* Bump actions/checkout from 3 to 4 by @dependabot in https://github.com/actions/checkout/pull/1697
-* Check out other refs/* by commit by @orhantoy in https://github.com/actions/checkout/pull/1774
-* Pin actions/checkout's own workflows to a known, good, stable version. by @jww3 in https://github.com/actions/checkout/pull/1776
-
-## v4.1.6
-* Check platform to set archive extension appropriately by @cory-miller in https://github.com/actions/checkout/pull/1732
-
-## v4.1.5
-* Update NPM dependencies by @cory-miller in https://github.com/actions/checkout/pull/1703
-* Bump github/codeql-action from 2 to 3 by @dependabot in https://github.com/actions/checkout/pull/1694
-* Bump actions/setup-node from 1 to 4 by @dependabot in https://github.com/actions/checkout/pull/1696
-* Bump actions/upload-artifact from 2 to 4 by @dependabot in https://github.com/actions/checkout/pull/1695
-* README: Suggest `user.email` to be `41898282+github-actions[bot]@users.noreply.github.com` by @cory-miller in https://github.com/actions/checkout/pull/1707
-
-## v4.1.4
-- Disable `extensions.worktreeConfig` when disabling `sparse-checkout` by @jww3 in https://github.com/actions/checkout/pull/1692
-- Add dependabot config by @cory-miller in https://github.com/actions/checkout/pull/1688
-- Bump the minor-actions-dependencies group with 2 updates by @dependabot in https://github.com/actions/checkout/pull/1693
-- Bump word-wrap from 1.2.3 to 1.2.5 by @dependabot in https://github.com/actions/checkout/pull/1643
-
-## v4.1.3
-- Check git version before attempting to disable `sparse-checkout` by @jww3 in https://github.com/actions/checkout/pull/1656
-- Add SSH user parameter by @cory-miller in https://github.com/actions/checkout/pull/1685
-- Update `actions/checkout` version in `update-main-version.yml` by @jww3 in https://github.com/actions/checkout/pull/1650
-
-## v4.1.2
-- Fix: Disable sparse checkout whenever `sparse-checkout` option is not present @dscho in https://github.com/actions/checkout/pull/1598
-
-## v4.1.1
-- Correct link to GitHub Docs by @peterbe in https://github.com/actions/checkout/pull/1511
-- Link to release page from what's new section by @cory-miller in https://github.com/actions/checkout/pull/1514
-
-## v4.1.0
-- [Add support for partial checkout filters](https://github.com/actions/checkout/pull/1396)
-
-## v4.0.0
-- [Support fetching without the --progress option](https://github.com/actions/checkout/pull/1067)
-- [Update to node20](https://github.com/actions/checkout/pull/1436)
-
-## v3.6.0
-- [Fix: Mark test scripts with Bash'isms to be run via Bash](https://github.com/actions/checkout/pull/1377)
-- [Add option to fetch tags even if fetch-depth > 0](https://github.com/actions/checkout/pull/579)
-
-## v3.5.3
-- [Fix: Checkout fail in self-hosted runners when faulty submodule are checked-in](https://github.com/actions/checkout/pull/1196)
-- [Fix typos found by codespell](https://github.com/actions/checkout/pull/1287)
-- [Add support for sparse checkouts](https://github.com/actions/checkout/pull/1369)
-
-## v3.5.2
-- [Fix api endpoint for GHES](https://github.com/actions/checkout/pull/1289)
-
-## v3.5.1
-- [Fix slow checkout on Windows](https://github.com/actions/checkout/pull/1246)
-
-## v3.5.0
-* [Add new public key for known_hosts](https://github.com/actions/checkout/pull/1237)
-
-## v3.4.0
-- [Upgrade codeql actions to v2](https://github.com/actions/checkout/pull/1209)
-- [Upgrade dependencies](https://github.com/actions/checkout/pull/1210)
-- [Upgrade @actions/io](https://github.com/actions/checkout/pull/1225)
-
-## v3.3.0
-- [Implement branch list using callbacks from exec function](https://github.com/actions/checkout/pull/1045)
-- [Add in explicit reference to private checkout options](https://github.com/actions/checkout/pull/1050)
-- [Fix comment typos (that got added in #770)](https://github.com/actions/checkout/pull/1057)
-
-## v3.2.0
-- [Add GitHub Action to perform release](https://github.com/actions/checkout/pull/942)
-- [Fix status badge](https://github.com/actions/checkout/pull/967)
-- [Replace datadog/squid with ubuntu/squid Docker image](https://github.com/actions/checkout/pull/1002)
-- [Wrap pipeline commands for submoduleForeach in quotes](https://github.com/actions/checkout/pull/964)
-- [Update @actions/io to 1.1.2](https://github.com/actions/checkout/pull/1029)
-- [Upgrading version to 3.2.0](https://github.com/actions/checkout/pull/1039)
-
 ## v3.1.0
 - [Use @actions/core `saveState` and `getState`](https://github.com/actions/checkout/pull/939)
 - [Add `github-server-url` input](https://github.com/actions/checkout/pull/922)

README.md

@@ -1,66 +1,25 @@
 [![Build and Test](https://github.com/actions/checkout/actions/workflows/test.yml/badge.svg)](https://github.com/actions/checkout/actions/workflows/test.yml)
 
-# Checkout v7
-
-## What's new
-
-- Safer fork pull request handling: checkout now refuses to check out fork pull request code by default when the workflow is triggered by `pull_request_target` or `workflow_run`. These triggers run with the base repository's `GITHUB_TOKEN`, secrets, and runner access, where executing a fork's code commonly leads to "pwn request" vulnerabilities.
-  - To opt in after [reviewing the risks](https://gh.io/securely-using-pull_request_target), set the new `allow-unsafe-pr-checkout: true` input.
-- Migrated `actions/checkout` to ESM to support new versions of the `@actions/*` packages.
-- Updated direct and transitive dependencies, including security fixes for known vulnerabilities.
-
-# Checkout v6
-
-## What's new
-
-- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config`
-- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically
-- Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later
-
-# Checkout v5
-
-## What's new
-
-- Updated to the node24 runtime
-  - This requires a minimum Actions Runner version of [v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) to run.
-
-# Checkout v4
+# Checkout V3
 
 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
 
-Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth: 0` to fetch all history for all branches and tags. Refer [here](https://docs.github.com/actions/using-workflows/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
+Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth: 0` to fetch all history for all branches and tags. Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
 
 The auth token is persisted in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup. Set `persist-credentials: false` to opt-out.
 
 When Git 2.18 or higher is not in your PATH, falls back to the REST API to download the files.
 
-### Note
-
-Thank you for your interest in this GitHub action, however, right now we are not taking contributions. 
-
-We continue to focus our resources on strategic areas that help our customers be successful while making developers' lives easier. While GitHub Actions remains a key part of this vision, we are allocating resources towards other areas of Actions and are not taking contributions to this repository at this time. The GitHub public roadmap is the best place to follow along for any updates on features we’re working on and what stage they’re in.
-
-We are taking the following steps to better direct requests related to GitHub Actions, including:
-
-1. We will be directing questions and support requests to our [Community Discussions area](https://github.com/orgs/community/discussions/categories/actions)
-
-2. High Priority bugs can be reported through Community Discussions or you can report these to our support team https://support.github.com/contact/bug-report.
-
-3. Security Issues should be handled as per our [security.md](security.md)
-
-We will still provide security updates for this project and fix major breaking changes during this time.
-
-You are welcome to still raise bugs in this repo.
-
 # What's new
 
-Please refer to the [release page](https://github.com/actions/checkout/releases/latest) for the latest release notes.
+- Updated to the node16 runtime by default
+  - This requires a minimum [Actions Runner](https://github.com/actions/runner/releases/tag/v2.285.0) version of v2.285.0 to run, which is by default available in GHES 3.4 or later.
 
 # Usage
 
 <!-- start usage -->
 ```yaml
-- uses: actions/checkout@v7
+- uses: actions/checkout@v3
   with:
     # Repository name with owner. For example, actions/checkout
     # Default: ${{ github.repository }}
@@ -104,11 +63,6 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
     # Default: true
     ssh-strict: ''
 
-    # The user to use when connecting to the remote SSH host. By default 'git' is
-    # used.
-    # Default: git
-    ssh-user: ''
-
     # Whether to configure the token or SSH key with the local git config
     # Default: true
     persist-credentials: ''
@@ -120,31 +74,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
     # Default: true
     clean: ''
 
-    # Partially clone against a given filter. Overrides sparse-checkout if set.
-    # Default: null
-    filter: ''
-
-    # Do a sparse checkout on given patterns. Each pattern should be separated with
-    # new lines.
-    # Default: null
-    sparse-checkout: ''
-
-    # Specifies whether to use cone-mode when doing a sparse checkout.
-    # Default: true
-    sparse-checkout-cone-mode: ''
-
     # Number of commits to fetch. 0 indicates all history for all branches and tags.
     # Default: 1
     fetch-depth: ''
 
-    # Whether to fetch tags, even if fetch-depth > 0.
-    # Default: false
-    fetch-tags: ''
-
-    # Whether to show progress status output when fetching.
-    # Default: true
-    show-progress: ''
-
     # Whether to download Git-LFS files
     # Default: false
     lfs: ''
@@ -168,75 +101,25 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
     # running from unless specified. Example URLs are https://github.com or
     # https://my-ghes-server.example.com
     github-server-url: ''
-
-    # Required to check out fork pull request code from a workflow triggered by
-    # `pull_request_target` or `workflow_run`. These workflows run with the base
-    # repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner
-    # access; fetching and executing a fork's code in that trusted context commonly
-    # leads to "pwn request" vulnerabilities. Set to `true` only after reviewing the
-    # risks at https://gh.io/securely-using-pull_request_target.
-    # Default: false
-    allow-unsafe-pr-checkout: ''
 ```
 <!-- end usage -->
 
 # Scenarios
 
-- [Checkout V5](#checkout-v5)
-  - [What's new](#whats-new)
-- [Checkout V4](#checkout-v4)
-    - [Note](#note)
-- [What's new](#whats-new-1)
-- [Usage](#usage)
-- [Scenarios](#scenarios)
-  - [Fetch only the root files](#fetch-only-the-root-files)
-  - [Fetch only the root files and `.github` and `src` folder](#fetch-only-the-root-files-and-github-and-src-folder)
-  - [Fetch only a single file](#fetch-only-a-single-file)
-  - [Fetch all history for all tags and branches](#fetch-all-history-for-all-tags-and-branches)
-  - [Checkout a different branch](#checkout-a-different-branch)
-  - [Checkout HEAD^](#checkout-head)
-  - [Checkout multiple repos (side by side)](#checkout-multiple-repos-side-by-side)
-  - [Checkout multiple repos (nested)](#checkout-multiple-repos-nested)
-  - [Checkout multiple repos (private)](#checkout-multiple-repos-private)
-  - [Checkout pull request HEAD commit instead of merge commit](#checkout-pull-request-head-commit-instead-of-merge-commit)
-  - [Checkout pull request on closed event](#checkout-pull-request-on-closed-event)
-  - [Push a commit using the built-in token](#push-a-commit-using-the-built-in-token)
-  - [Push a commit to a PR using the built-in token](#push-a-commit-to-a-pr-using-the-built-in-token)
-- [Recommended permissions](#recommended-permissions)
-- [License](#license)
-
-## Fetch only the root files
-
-```yaml
-- uses: actions/checkout@v7
-  with:
-    sparse-checkout: .
-```
-
-## Fetch only the root files and `.github` and `src` folder
-
-```yaml
-- uses: actions/checkout@v7
-  with:
-    sparse-checkout: |
-      .github
-      src
-```
-
-## Fetch only a single file
-
-```yaml
-- uses: actions/checkout@v7
-  with:
-    sparse-checkout: |
-      README.md
-    sparse-checkout-cone-mode: false
-```
+- [Fetch all history for all tags and branches](#Fetch-all-history-for-all-tags-and-branches)
+- [Checkout a different branch](#Checkout-a-different-branch)
+- [Checkout HEAD^](#Checkout-HEAD)
+- [Checkout multiple repos (side by side)](#Checkout-multiple-repos-side-by-side)
+- [Checkout multiple repos (nested)](#Checkout-multiple-repos-nested)
+- [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
+- [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
+- [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
+- [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token)
 
 ## Fetch all history for all tags and branches
 
 ```yaml
-- uses: actions/checkout@v7
+- uses: actions/checkout@v3
   with:
     fetch-depth: 0
 ```
@@ -244,7 +127,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout a different branch
 
 ```yaml
-- uses: actions/checkout@v7
+- uses: actions/checkout@v3
   with:
     ref: my-branch
 ```
@@ -252,7 +135,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout HEAD^
 
 ```yaml
-- uses: actions/checkout@v7
+- uses: actions/checkout@v3
   with:
     fetch-depth: 2
 - run: git checkout HEAD^
@@ -262,42 +145,40 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v7
+  uses: actions/checkout@v3
   with:
     path: main
 
 - name: Checkout tools repo
-  uses: actions/checkout@v7
+  uses: actions/checkout@v3
   with:
     repository: my-org/my-tools
     path: my-tools
 ```
-> - If your secondary repository is private or internal you will need to add the option noted in [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
 
 ## Checkout multiple repos (nested)
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v7
+  uses: actions/checkout@v3
 
 - name: Checkout tools repo
-  uses: actions/checkout@v7
+  uses: actions/checkout@v3
   with:
     repository: my-org/my-tools
     path: my-tools
 ```
-> - If your secondary repository is private or internal you will need to add the option noted in [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
 
 ## Checkout multiple repos (private)
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v7
+  uses: actions/checkout@v3
   with:
     path: main
 
 - name: Checkout private tools
-  uses: actions/checkout@v7
+  uses: actions/checkout@v3
   with:
     repository: my-org/my-private-tools
     token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@@ -310,7 +191,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout pull request HEAD commit instead of merge commit
 
 ```yaml
-- uses: actions/checkout@v7
+- uses: actions/checkout@v3
   with:
     ref: ${{ github.event.pull_request.head.sha }}
 ```
@@ -326,7 +207,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v3
 ```
 
 ## Push a commit using the built-in token
@@ -337,51 +218,15 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v3
       - run: |
           date > generated.txt
-          # Note: the following account information will not work on GHES
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config user.name github-actions
+          git config user.email github-actions@github.com
           git add .
           git commit -m "generated"
           git push
 ```
-*NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D
-
-## Push a commit to a PR using the built-in token
-
-In a pull request trigger, `ref` is required as GitHub Actions checks out in detached HEAD mode, meaning it doesn’t check out your branch by default.
-
-```yaml
-on: pull_request
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v7
-        with:
-          ref: ${{ github.head_ref }}
-      - run: |
-          date > generated.txt
-          # Note: the following account information will not work on GHES
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add .
-          git commit -m "generated"
-          git push
-```
-
-*NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D
-
-# Recommended permissions
-
-When using the `checkout` action in your GitHub Actions workflow, it is recommended to set the following `GITHUB_TOKEN` permissions to ensure proper functionality, unless alternative auth is provided via the `token` or `ssh-key` inputs:
-
-```yaml
-permissions:
-  contents: read
-```
 
 # License
 

__test__/git-auth-helper.test.ts

@@ -1,46 +1,12 @@
-import {
-  jest,
-  describe,
-  it,
-  expect,
-  beforeAll,
-  beforeEach,
-  afterEach,
-  afterAll
-} from '@jest/globals'
+import * as core from '@actions/core'
 import * as fs from 'fs'
+import * as gitAuthHelper from '../lib/git-auth-helper'
 import * as io from '@actions/io'
 import * as os from 'os'
 import * as path from 'path'
-import {fileURLToPath} from 'url'
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url))
-
-// Mock @actions/core before loading git-auth-helper
-jest.unstable_mockModule('@actions/core', () => ({
-  setSecret: jest.fn(),
-  error: jest.fn(),
-  warning: jest.fn(),
-  info: jest.fn(),
-  debug: jest.fn(),
-  setFailed: jest.fn()
-}))
-
-// Mock state-helper
-jest.unstable_mockModule('../src/state-helper.js', () => ({
-  setSshKeyPath: jest.fn(),
-  setSshKnownHostsPath: jest.fn(),
-  IsPost: false,
-  RepositoryPath: ''
-}))
-
-// Dynamic imports after mocking
-const core = await import('@actions/core')
-const gitAuthHelper = await import('../src/git-auth-helper.js')
-type IGitCommandManager =
-  import('../src/git-command-manager.js').IGitCommandManager
-type IGitSourceSettings =
-  import('../src/git-source-settings.js').IGitSourceSettings
+import * as stateHelper from '../lib/state-helper'
+import {IGitCommandManager} from '../lib/git-command-manager'
+import {IGitSourceSettings} from '../lib/git-source-settings'
 
 const isWindows = process.platform === 'win32'
 const testWorkspace = path.join(__dirname, '_temp', 'git-auth-helper')
@@ -66,12 +32,25 @@ describe('git-auth-helper tests', () => {
   })
 
   beforeEach(() => {
-    jest.clearAllMocks()
+    // Mock setSecret
+    jest.spyOn(core, 'setSecret').mockImplementation((secret: string) => {})
+
+    // Mock error/warning/info/debug
+    jest.spyOn(core, 'error').mockImplementation(jest.fn())
+    jest.spyOn(core, 'warning').mockImplementation(jest.fn())
+    jest.spyOn(core, 'info').mockImplementation(jest.fn())
+    jest.spyOn(core, 'debug').mockImplementation(jest.fn())
+
+    // Mock state helper
+    jest.spyOn(stateHelper, 'setSshKeyPath').mockImplementation(jest.fn())
+    jest
+      .spyOn(stateHelper, 'setSshKnownHostsPath')
+      .mockImplementation(jest.fn())
   })
 
   afterEach(() => {
     // Unregister mocks
-    jest.clearAllMocks()
+    jest.restoreAllMocks()
 
     // Restore HOME
     if (originalHome) {
@@ -107,29 +86,16 @@ describe('git-auth-helper tests', () => {
     // Act
     await authHelper.configureAuth()
 
-    // Assert config - check that .git/config contains includeIf entries
-    const localConfigContent = (
+    // Assert config
+    const configContent = (
       await fs.promises.readFile(localGitConfigPath)
     ).toString()
-    expect(
-      localConfigContent.indexOf('includeIf.gitdir:')
-    ).toBeGreaterThanOrEqual(0)
-
-    // Assert credentials config file contains the actual credentials
-    const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
-      f => f.startsWith('git-credentials-') && f.endsWith('.config')
-    )
-    expect(credentialsFiles.length).toBe(1)
-    const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
-    const credentialsContent = (
-      await fs.promises.readFile(credentialsConfigPath)
-    ).toString()
     const basicCredential = Buffer.from(
       `x-access-token:${settings.authToken}`,
       'utf8'
     ).toString('base64')
     expect(
-      credentialsContent.indexOf(
+      configContent.indexOf(
         `http.${expectedServerUrl}/.extraheader AUTHORIZATION: basic ${basicCredential}`
       )
     ).toBeGreaterThanOrEqual(0)
@@ -154,7 +120,7 @@ describe('git-auth-helper tests', () => {
     'inject https://github.com as github server url'
   it(configureAuth_AcceptsGitHubServerUrlSetToGHEC, async () => {
     await testAuthHeader(
-      configureAuth_AcceptsGitHubServerUrlSetToGHEC,
+      configureAuth_AcceptsGitHubServerUrl,
       'https://github.com'
     )
   })
@@ -175,17 +141,12 @@ describe('git-auth-helper tests', () => {
       // Act
       await authHelper.configureAuth()
 
-      // Assert config - check credentials config file (not local .git/config)
-      const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
-        f => f.startsWith('git-credentials-') && f.endsWith('.config')
-      )
-      expect(credentialsFiles.length).toBe(1)
-      const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
-      const credentialsContent = (
-        await fs.promises.readFile(credentialsConfigPath)
+      // Assert config
+      const configContent = (
+        await fs.promises.readFile(localGitConfigPath)
       ).toString()
       expect(
-        credentialsContent.indexOf(
+        configContent.indexOf(
           `http.https://github.com/.extraheader AUTHORIZATION`
         )
       ).toBeGreaterThanOrEqual(0)
@@ -208,9 +169,8 @@ describe('git-auth-helper tests', () => {
 
     // Mock fs.promises.readFile
     const realReadFile = fs.promises.readFile
-    jest
-      .spyOn(fs.promises, 'readFile')
-      .mockImplementation(async (file: any, options: any): Promise<Buffer> => {
+    jest.spyOn(fs.promises, 'readFile').mockImplementation(
+      async (file: any, options: any): Promise<Buffer> => {
         const userKnownHostsPath = path.join(
           os.homedir(),
           '.ssh',
@@ -221,7 +181,8 @@ describe('git-auth-helper tests', () => {
         }
 
         return await realReadFile(file, options)
-      })
+      }
+    )
 
     // Act
     const authHelper = gitAuthHelper.createAuthHelper(git, settings)
@@ -250,7 +211,7 @@ describe('git-auth-helper tests', () => {
     await authHelper.configureAuth()
 
     // Assert secret
-    const setSecretSpy = core.setSecret as jest.Mock<any>
+    const setSecretSpy = core.setSecret as jest.Mock<any, any>
     expect(setSecretSpy).toHaveBeenCalledTimes(1)
     const expectedSecret = Buffer.from(
       `x-access-token:${settings.authToken}`,
@@ -290,16 +251,13 @@ describe('git-auth-helper tests', () => {
       expectedSshCommand
     )
 
-    // Assert git config
+    // Asserty git config
     const gitConfigLines = (await fs.promises.readFile(localGitConfigPath))
       .toString()
       .split('\n')
       .filter(x => x)
-    // Should have includeIf entries pointing to credentials file
-    expect(gitConfigLines.length).toBeGreaterThan(0)
-    expect(
-      gitConfigLines.some(line => line.indexOf('includeIf.gitdir:') >= 0)
-    ).toBeTruthy()
+    expect(gitConfigLines).toHaveLength(1)
+    expect(gitConfigLines[0]).toMatch(/^http\./)
   })
 
   const configureAuth_setsSshCommandWhenPersistCredentialsTrue =
@@ -461,20 +419,8 @@ describe('git-auth-helper tests', () => {
     expect(
       configContent.indexOf('value-from-global-config')
     ).toBeGreaterThanOrEqual(0)
-    // Global config should have include.path pointing to credentials file
-    expect(configContent.indexOf('include.path')).toBeGreaterThanOrEqual(0)
-
-    // Check credentials in the separate config file
-    const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
-      f => f.startsWith('git-credentials-') && f.endsWith('.config')
-    )
-    expect(credentialsFiles.length).toBeGreaterThan(0)
-    const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
-    const credentialsContent = (
-      await fs.promises.readFile(credentialsConfigPath)
-    ).toString()
     expect(
-      credentialsContent.indexOf(
+      configContent.indexOf(
         `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
       )
     ).toBeGreaterThanOrEqual(0)
@@ -517,20 +463,8 @@ describe('git-auth-helper tests', () => {
       const configContent = (
         await fs.promises.readFile(path.join(git.env['HOME'], '.gitconfig'))
       ).toString()
-      // Global config should have include.path pointing to credentials file
-      expect(configContent.indexOf('include.path')).toBeGreaterThanOrEqual(0)
-
-      // Check credentials in the separate config file
-      const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
-        f => f.startsWith('git-credentials-') && f.endsWith('.config')
-      )
-      expect(credentialsFiles.length).toBeGreaterThan(0)
-      const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
-      const credentialsContent = (
-        await fs.promises.readFile(credentialsConfigPath)
-      ).toString()
       expect(
-        credentialsContent.indexOf(
+        configContent.indexOf(
           `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
         )
       ).toBeGreaterThanOrEqual(0)
@@ -550,7 +484,7 @@ describe('git-auth-helper tests', () => {
       settings.sshKey = ''
       const authHelper = gitAuthHelper.createAuthHelper(git, settings)
       await authHelper.configureAuth()
-      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any>
+      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
       mockSubmoduleForeach.mockClear() // reset calls
 
       // Act
@@ -583,7 +517,7 @@ describe('git-auth-helper tests', () => {
       settings.persistCredentials = false
       const authHelper = gitAuthHelper.createAuthHelper(git, settings)
       await authHelper.configureAuth()
-      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any>
+      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
       mockSubmoduleForeach.mockClear() // reset calls
 
       // Act
@@ -609,22 +543,22 @@ describe('git-auth-helper tests', () => {
       settings.sshKey = ''
       const authHelper = gitAuthHelper.createAuthHelper(git, settings)
       await authHelper.configureAuth()
-      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any>
+      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
       mockSubmoduleForeach.mockClear() // reset calls
 
       // Act
       await authHelper.configureSubmoduleAuth()
 
       // Assert
-      // Should configure insteadOf (2 calls for two values)
-      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
+      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(4)
       expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
         /unset-all.*insteadOf/
       )
-      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(
+      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
+      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(
         /url.*insteadOf.*git@github.com:/
       )
-      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(
+      expect(mockSubmoduleForeach.mock.calls[3][0]).toMatch(
         /url.*insteadOf.*org-123456@github.com:/
       )
     }
@@ -648,19 +582,19 @@ describe('git-auth-helper tests', () => {
       )
       const authHelper = gitAuthHelper.createAuthHelper(git, settings)
       await authHelper.configureAuth()
-      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any>
+      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
       mockSubmoduleForeach.mockClear() // reset calls
 
       // Act
       await authHelper.configureSubmoduleAuth()
 
       // Assert
-      // Should configure sshCommand (1 call)
-      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(2)
+      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
       expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
         /unset-all.*insteadOf/
       )
-      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/core\.sshCommand/)
+      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
+      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/core\.sshCommand/)
     }
   )
 
@@ -726,201 +660,19 @@ describe('git-auth-helper tests', () => {
     await setup(removeAuth_removesToken)
     const authHelper = gitAuthHelper.createAuthHelper(git, settings)
     await authHelper.configureAuth()
-
-    // Verify includeIf entries exist in local config
-    let localConfigContent = (
+    let gitConfigContent = (
       await fs.promises.readFile(localGitConfigPath)
     ).toString()
-    expect(
-      localConfigContent.indexOf('includeIf.gitdir:')
-    ).toBeGreaterThanOrEqual(0)
-
-    // Verify both host and container includeIf entries are present
-    const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/')
-    expect(
-      localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`)
-    ).toBeGreaterThanOrEqual(0)
-    expect(
-      localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path')
-    ).toBeGreaterThanOrEqual(0)
-
-    // Verify credentials file exists
-    let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
-      f => f.startsWith('git-credentials-') && f.endsWith('.config')
-    )
-    expect(credentialsFiles.length).toBe(1)
-    const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0])
-
-    // Verify credentials file contains the auth token
-    let credentialsContent = (
-      await fs.promises.readFile(credentialsFilePath)
-    ).toString()
-    const basicCredential = Buffer.from(
-      `x-access-token:${settings.authToken}`,
-      'utf8'
-    ).toString('base64')
-    expect(
-      credentialsContent.indexOf(
-        `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
-      )
-    ).toBeGreaterThanOrEqual(0)
-
-    // Verify the includeIf entries point to the credentials file
-    const containerCredentialsPath = path.posix.join(
-      '/github/runner_temp',
-      path.basename(credentialsFilePath)
-    )
-    expect(
-      localConfigContent.indexOf(credentialsFilePath)
-    ).toBeGreaterThanOrEqual(0)
-    expect(
-      localConfigContent.indexOf(containerCredentialsPath)
-    ).toBeGreaterThanOrEqual(0)
+    expect(gitConfigContent.indexOf('http.')).toBeGreaterThanOrEqual(0) // sanity check
 
     // Act
     await authHelper.removeAuth()
 
-    // Assert all includeIf entries removed from local git config
-    localConfigContent = (
+    // Assert git config
+    gitConfigContent = (
       await fs.promises.readFile(localGitConfigPath)
     ).toString()
-    expect(localConfigContent.indexOf('includeIf.gitdir:')).toBeLessThan(0)
-    expect(
-      localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`)
-    ).toBeLessThan(0)
-    expect(
-      localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path')
-    ).toBeLessThan(0)
-    expect(localConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
-    expect(localConfigContent.indexOf(containerCredentialsPath)).toBeLessThan(0)
-
-    // Assert credentials config file deleted
-    credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
-      f => f.startsWith('git-credentials-') && f.endsWith('.config')
-    )
-    expect(credentialsFiles.length).toBe(0)
-
-    // Verify credentials file no longer exists on disk
-    try {
-      await fs.promises.stat(credentialsFilePath)
-      throw new Error('Credentials file should have been deleted')
-    } catch (err) {
-      if ((err as any)?.code !== 'ENOENT') {
-        throw err
-      }
-    }
-  })
-
-  const removeAuth_removesTokenFromSubmodules =
-    'removeAuth removes token from submodules'
-  it(removeAuth_removesTokenFromSubmodules, async () => {
-    // Arrange
-    await setup(removeAuth_removesTokenFromSubmodules)
-
-    // Create fake submodule config paths
-    const submodule1Dir = path.join(workspace, '.git', 'modules', 'submodule-1')
-    const submodule2Dir = path.join(workspace, '.git', 'modules', 'submodule-2')
-    const submodule1ConfigPath = path.join(submodule1Dir, 'config')
-    const submodule2ConfigPath = path.join(submodule2Dir, 'config')
-
-    await fs.promises.mkdir(submodule1Dir, {recursive: true})
-    await fs.promises.mkdir(submodule2Dir, {recursive: true})
-    await fs.promises.writeFile(submodule1ConfigPath, '')
-    await fs.promises.writeFile(submodule2ConfigPath, '')
-
-    // Mock getSubmoduleConfigPaths to return our fake submodules (for both configure and remove)
-    const mockGetSubmoduleConfigPaths =
-      git.getSubmoduleConfigPaths as jest.Mock<any>
-    mockGetSubmoduleConfigPaths.mockResolvedValue([
-      submodule1ConfigPath,
-      submodule2ConfigPath
-    ])
-
-    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-    await authHelper.configureAuth()
-    await authHelper.configureSubmoduleAuth()
-
-    // Verify credentials file exists
-    let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
-      f => f.startsWith('git-credentials-') && f.endsWith('.config')
-    )
-    expect(credentialsFiles.length).toBe(1)
-    const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0])
-
-    // Verify submodule 1 config has includeIf entries
-    let submodule1Content = (
-      await fs.promises.readFile(submodule1ConfigPath)
-    ).toString()
-    const submodule1GitDir = submodule1Dir.replace(/\\/g, '/')
-    expect(
-      submodule1Content.indexOf(`includeIf.gitdir:${submodule1GitDir}.path`)
-    ).toBeGreaterThanOrEqual(0)
-    expect(
-      submodule1Content.indexOf(credentialsFilePath)
-    ).toBeGreaterThanOrEqual(0)
-
-    // Verify submodule 2 config has includeIf entries
-    let submodule2Content = (
-      await fs.promises.readFile(submodule2ConfigPath)
-    ).toString()
-    const submodule2GitDir = submodule2Dir.replace(/\\/g, '/')
-    expect(
-      submodule2Content.indexOf(`includeIf.gitdir:${submodule2GitDir}.path`)
-    ).toBeGreaterThanOrEqual(0)
-    expect(
-      submodule2Content.indexOf(credentialsFilePath)
-    ).toBeGreaterThanOrEqual(0)
-
-    // Verify both host and container paths are in each submodule config
-    const containerCredentialsPath = path.posix.join(
-      '/github/runner_temp',
-      path.basename(credentialsFilePath)
-    )
-    expect(
-      submodule1Content.indexOf(containerCredentialsPath)
-    ).toBeGreaterThanOrEqual(0)
-    expect(
-      submodule2Content.indexOf(containerCredentialsPath)
-    ).toBeGreaterThanOrEqual(0)
-
-    // Act - ensure mock persists for removeAuth
-    mockGetSubmoduleConfigPaths.mockResolvedValue([
-      submodule1ConfigPath,
-      submodule2ConfigPath
-    ])
-    await authHelper.removeAuth()
-
-    // Assert submodule 1 includeIf entries removed
-    submodule1Content = (
-      await fs.promises.readFile(submodule1ConfigPath)
-    ).toString()
-    expect(submodule1Content.indexOf('includeIf.gitdir:')).toBeLessThan(0)
-    expect(submodule1Content.indexOf(credentialsFilePath)).toBeLessThan(0)
-    expect(submodule1Content.indexOf(containerCredentialsPath)).toBeLessThan(0)
-
-    // Assert submodule 2 includeIf entries removed
-    submodule2Content = (
-      await fs.promises.readFile(submodule2ConfigPath)
-    ).toString()
-    expect(submodule2Content.indexOf('includeIf.gitdir:')).toBeLessThan(0)
-    expect(submodule2Content.indexOf(credentialsFilePath)).toBeLessThan(0)
-    expect(submodule2Content.indexOf(containerCredentialsPath)).toBeLessThan(0)
-
-    // Assert credentials config file deleted
-    credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
-      f => f.startsWith('git-credentials-') && f.endsWith('.config')
-    )
-    expect(credentialsFiles.length).toBe(0)
-
-    // Verify credentials file no longer exists on disk
-    try {
-      await fs.promises.stat(credentialsFilePath)
-      throw new Error('Credentials file should have been deleted')
-    } catch (err) {
-      if ((err as any)?.code !== 'ENOENT') {
-        throw err
-      }
-    }
+    expect(gitConfigContent.indexOf('http.')).toBeLessThan(0)
   })
 
   const removeGlobalConfig_removesOverride =
@@ -949,52 +701,6 @@ describe('git-auth-helper tests', () => {
       }
     }
   })
-
-  const testCredentialsConfigPath_matchesCredentialsConfigPaths =
-    'testCredentialsConfigPath matches credentials config paths'
-  it(testCredentialsConfigPath_matchesCredentialsConfigPaths, async () => {
-    // Arrange
-    await setup(testCredentialsConfigPath_matchesCredentialsConfigPaths)
-    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-
-    // Get a real credentials config path
-    const credentialsConfigPath = await (
-      authHelper as any
-    ).getCredentialsConfigPath()
-
-    // Act & Assert
-    expect(
-      (authHelper as any).testCredentialsConfigPath(credentialsConfigPath)
-    ).toBe(true)
-    expect(
-      (authHelper as any).testCredentialsConfigPath(
-        '/some/path/git-credentials-12345678-abcd-1234-5678-123456789012.config'
-      )
-    ).toBe(true)
-    expect(
-      (authHelper as any).testCredentialsConfigPath(
-        '/some/path/git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config'
-      )
-    ).toBe(true)
-
-    // Test invalid paths
-    expect(
-      (authHelper as any).testCredentialsConfigPath(
-        '/some/path/other-config.config'
-      )
-    ).toBe(false)
-    expect(
-      (authHelper as any).testCredentialsConfigPath(
-        '/some/path/git-credentials-invalid.config'
-      )
-    ).toBe(false)
-    expect(
-      (authHelper as any).testCredentialsConfigPath(
-        '/some/path/git-credentials-.config'
-      )
-    ).toBe(false)
-    expect((authHelper as any).testCredentialsConfigPath('')).toBe(false)
-  })
 })
 
 async function setup(testName: string): Promise<void> {
@@ -1009,7 +715,6 @@ async function setup(testName: string): Promise<void> {
   await fs.promises.mkdir(tempHomedir, {recursive: true})
   process.env['RUNNER_TEMP'] = runnerTemp
   process.env['HOME'] = tempHomedir
-  process.env['GITHUB_WORKSPACE'] = workspace
 
   // Create git config
   globalGitConfigPath = path.join(tempHomedir, '.gitconfig')
@@ -1022,26 +727,13 @@ async function setup(testName: string): Promise<void> {
     branchDelete: jest.fn(),
     branchExists: jest.fn(),
     branchList: jest.fn(),
-    disableSparseCheckout: jest.fn(),
-    sparseCheckout: jest.fn(),
-    sparseCheckoutNonConeMode: jest.fn(),
     checkout: jest.fn(),
     checkoutDetach: jest.fn(),
     config: jest.fn(
-      async (
-        key: string,
-        value: string,
-        globalConfig?: boolean,
-        add?: boolean,
-        configFile?: string
-      ) => {
-        const configPath =
-          configFile ||
-          (globalConfig
+      async (key: string, value: string, globalConfig?: boolean) => {
+        const configPath = globalConfig
           ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-            : localGitConfigPath)
-        // Ensure directory exists
-        await fs.promises.mkdir(path.dirname(configPath), {recursive: true})
+          : localGitConfigPath
         await fs.promises.appendFile(configPath, `\n${key} ${value}`)
       }
     ),
@@ -1061,7 +753,6 @@ async function setup(testName: string): Promise<void> {
     env: {},
     fetch: jest.fn(),
     getDefaultBranch: jest.fn(),
-    getSubmoduleConfigPaths: jest.fn(async () => []),
     getWorkingDirectory: jest.fn(() => workspace),
     init: jest.fn(),
     isDetached: jest.fn(),
@@ -1079,9 +770,6 @@ async function setup(testName: string): Promise<void> {
       return ''
     }),
     submoduleSync: jest.fn(),
-    submoduleStatus: jest.fn(async () => {
-      return true
-    }),
     submoduleUpdate: jest.fn(),
     tagExists: jest.fn(),
     tryClean: jest.fn(),
@@ -1100,86 +788,16 @@ async function setup(testName: string): Promise<void> {
         return true
       }
     ),
-    tryConfigUnsetValue: jest.fn(
-      async (
-        key: string,
-        value: string,
-        globalConfig?: boolean,
-        configPath?: string
-      ): Promise<boolean> => {
-        const targetConfigPath =
-          configPath ||
-          (globalConfig
-            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-            : localGitConfigPath)
-        let content = await fs.promises.readFile(targetConfigPath)
-        let lines = content
-          .toString()
-          .split('\n')
-          .filter(x => x)
-          .filter(x => !(x.startsWith(key) && x.includes(value)))
-        await fs.promises.writeFile(targetConfigPath, lines.join('\n'))
-        return true
-      }
-    ),
     tryDisableAutomaticGarbageCollection: jest.fn(),
     tryGetFetchUrl: jest.fn(),
-    tryGetConfigValues: jest.fn(
-      async (
-        key: string,
-        globalConfig?: boolean,
-        configPath?: string
-      ): Promise<string[]> => {
-        const targetConfigPath =
-          configPath ||
-          (globalConfig
-            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-            : localGitConfigPath)
-        const content = await fs.promises.readFile(targetConfigPath)
-        const lines = content
-          .toString()
-          .split('\n')
-          .filter(x => x && x.startsWith(key))
-          .map(x => x.substring(key.length).trim())
-        return lines
+    tryReset: jest.fn()
   }
-    ),
-    tryGetConfigKeys: jest.fn(
-      async (
-        pattern: string,
-        globalConfig?: boolean,
-        configPath?: string
-      ): Promise<string[]> => {
-        const targetConfigPath =
-          configPath ||
-          (globalConfig
-            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-            : localGitConfigPath)
-        const content = await fs.promises.readFile(targetConfigPath)
-        const lines = content
-          .toString()
-          .split('\n')
-          .filter(x => x)
-        const keys = lines
-          .filter(x => new RegExp(pattern).test(x.split(' ')[0]))
-          .map(x => x.split(' ')[0])
-        return [...new Set(keys)] // Remove duplicates
-      }
-    ),
-    tryReset: jest.fn(),
-    version: jest.fn()
-  } as unknown as IGitCommandManager & {env: {[key: string]: string}}
 
   settings = {
     authToken: 'some auth token',
     clean: true,
     commit: '',
-    filter: undefined,
-    sparseCheckout: [],
-    sparseCheckoutConeMode: true,
     fetchDepth: 1,
-    fetchTags: false,
-    showProgress: true,
     lfs: false,
     submodules: false,
     nestedSubmodules: false,
@@ -1191,17 +809,14 @@ async function setup(testName: string): Promise<void> {
     sshKey: sshPath ? 'some ssh private key' : '',
     sshKnownHosts: '',
     sshStrict: true,
-    sshUser: '',
     workflowOrganizationId: 123456,
     setSafeDirectory: true,
-    githubServerUrl: githubServerUrl,
-    allowUnsafePrCheckout: false
+    githubServerUrl: githubServerUrl
   }
 }
 
 async function getActualSshKeyPath(): Promise<string> {
   let actualTempFiles = (await fs.promises.readdir(runnerTemp))
-    .filter(x => !x.startsWith('git-credentials-')) // Exclude credentials config file
     .sort()
     .map(x => path.join(runnerTemp, x))
   if (actualTempFiles.length === 0) {
@@ -1215,7 +830,6 @@ async function getActualSshKeyPath(): Promise<string> {
 
 async function getActualSshKnownHostsPath(): Promise<string> {
   let actualTempFiles = (await fs.promises.readdir(runnerTemp))
-    .filter(x => !x.startsWith('git-credentials-')) // Exclude credentials config file
     .sort()
     .map(x => path.join(runnerTemp, x))
   if (actualTempFiles.length === 0) {

__test__/git-command-manager.test.ts

@@ -1,574 +0,0 @@
-import {
-  jest,
-  describe,
-  it,
-  expect,
-  beforeAll,
-  beforeEach,
-  afterEach,
-  afterAll
-} from '@jest/globals'
-
-// Mock @actions/exec
-const mockExec = jest.fn()
-jest.unstable_mockModule('@actions/exec', () => ({
-  exec: mockExec
-}))
-
-// Mock fs-helper
-const mockFileExistsSync = jest.fn()
-const mockDirectoryExistsSync = jest.fn()
-jest.unstable_mockModule('../src/fs-helper.js', () => ({
-  fileExistsSync: mockFileExistsSync,
-  directoryExistsSync: mockDirectoryExistsSync
-}))
-
-// Dynamic imports after mocking
-const commandManager = await import('../src/git-command-manager.js')
-type IGitCommandManager =
-  import('../src/git-command-manager.js').IGitCommandManager
-
-let git: IGitCommandManager
-
-describe('git-auth-helper tests', () => {
-  beforeAll(async () => {})
-
-  beforeEach(async () => {
-    mockFileExistsSync.mockReset()
-    mockDirectoryExistsSync.mockReset()
-  })
-
-  afterEach(() => {
-    jest.clearAllMocks()
-  })
-
-  afterAll(() => {})
-
-  it('branch list matches', async () => {
-    mockExec.mockImplementation((path: any, args: any, options: any) => {
-      console.log(args, options.listeners.stdout)
-
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('2.18'))
-        return 0
-      }
-
-      if (args.includes('rev-parse')) {
-        options.listeners.stdline(Buffer.from('refs/heads/foo'))
-        options.listeners.stdline(Buffer.from('refs/heads/bar'))
-        return 0
-      }
-
-      return 1
-    })
-    // exec.exec is already mockExec
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-
-    let branches = await git.branchList(false)
-
-    expect(branches).toHaveLength(2)
-    expect(branches.sort()).toEqual(['foo', 'bar'].sort())
-  })
-
-  it('ambiguous ref name output is captured', async () => {
-    mockExec.mockImplementation((path: any, args: any, options: any) => {
-      console.log(args, options.listeners.stdout)
-
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('2.18'))
-        return 0
-      }
-
-      if (args.includes('rev-parse')) {
-        options.listeners.stdline(Buffer.from('refs/heads/foo'))
-        // If refs/tags/v1 and refs/heads/tags/v1 existed on this repository
-        options.listeners.errline(
-          Buffer.from("error: refname 'tags/v1' is ambiguous")
-        )
-        return 0
-      }
-
-      return 1
-    })
-    // exec.exec is already mockExec
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-
-    let branches = await git.branchList(false)
-
-    expect(branches).toHaveLength(1)
-    expect(branches.sort()).toEqual(['foo'].sort())
-  })
-})
-
-describe('Test fetchDepth and fetchTags options', () => {
-  beforeEach(async () => {
-    mockFileExistsSync.mockReset()
-    mockDirectoryExistsSync.mockReset()
-    mockExec.mockImplementation((path: any, args: any, options: any) => {
-      console.log(args, options.listeners.stdout)
-
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('2.18'))
-      }
-
-      return 0
-    })
-  })
-
-  afterEach(() => {
-    jest.clearAllMocks()
-  })
-
-  it('should call execGit with the correct arguments when fetchDepth is 0', async () => {
-    // exec.exec is already mockExec
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-
-    const refSpec = ['refspec1', 'refspec2']
-    const options = {
-      filter: 'filterValue',
-      fetchDepth: 0
-    }
-
-    await git.fetch(refSpec, options)
-
-    expect(mockExec).toHaveBeenCalledWith(
-      expect.any(String),
-      [
-        '-c',
-        'protocol.version=2',
-        'fetch',
-        '--no-tags',
-        '--prune',
-        '--no-recurse-submodules',
-        '--filter=filterValue',
-        'origin',
-        'refspec1',
-        'refspec2'
-      ],
-      expect.any(Object)
-    )
-  })
-
-  it('should call execGit with the correct arguments when fetchDepth is 0 and refSpec includes tags', async () => {
-    // exec.exec is already mockExec
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
-    const options = {
-      filter: 'filterValue',
-      fetchDepth: 0
-    }
-
-    await git.fetch(refSpec, options)
-
-    expect(mockExec).toHaveBeenCalledWith(
-      expect.any(String),
-      [
-        '-c',
-        'protocol.version=2',
-        'fetch',
-        '--no-tags',
-        '--prune',
-        '--no-recurse-submodules',
-        '--filter=filterValue',
-        'origin',
-        'refspec1',
-        'refspec2',
-        '+refs/tags/*:refs/tags/*'
-      ],
-      expect.any(Object)
-    )
-  })
-
-  it('should call execGit with the correct arguments when fetchDepth is 1', async () => {
-    // exec.exec is already mockExec
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-    const refSpec = ['refspec1', 'refspec2']
-    const options = {
-      filter: 'filterValue',
-      fetchDepth: 1
-    }
-
-    await git.fetch(refSpec, options)
-
-    expect(mockExec).toHaveBeenCalledWith(
-      expect.any(String),
-      [
-        '-c',
-        'protocol.version=2',
-        'fetch',
-        '--no-tags',
-        '--prune',
-        '--no-recurse-submodules',
-        '--filter=filterValue',
-        '--depth=1',
-        'origin',
-        'refspec1',
-        'refspec2'
-      ],
-      expect.any(Object)
-    )
-  })
-
-  it('should call execGit with the correct arguments when fetchDepth is 1 and refSpec includes tags', async () => {
-    // exec.exec is already mockExec
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
-    const options = {
-      filter: 'filterValue',
-      fetchDepth: 1
-    }
-
-    await git.fetch(refSpec, options)
-
-    expect(mockExec).toHaveBeenCalledWith(
-      expect.any(String),
-      [
-        '-c',
-        'protocol.version=2',
-        'fetch',
-        '--no-tags',
-        '--prune',
-        '--no-recurse-submodules',
-        '--filter=filterValue',
-        '--depth=1',
-        'origin',
-        'refspec1',
-        'refspec2',
-        '+refs/tags/*:refs/tags/*'
-      ],
-      expect.any(Object)
-    )
-  })
-
-  it('should call execGit with the correct arguments when showProgress is true', async () => {
-    // exec.exec is already mockExec
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-    const refSpec = ['refspec1', 'refspec2']
-    const options = {
-      filter: 'filterValue',
-      showProgress: true
-    }
-
-    await git.fetch(refSpec, options)
-
-    expect(mockExec).toHaveBeenCalledWith(
-      expect.any(String),
-      [
-        '-c',
-        'protocol.version=2',
-        'fetch',
-        '--no-tags',
-        '--prune',
-        '--no-recurse-submodules',
-        '--progress',
-        '--filter=filterValue',
-        'origin',
-        'refspec1',
-        'refspec2'
-      ],
-      expect.any(Object)
-    )
-  })
-
-  it('should call execGit with the correct arguments when fetchDepth is 42 and showProgress is true', async () => {
-    // exec.exec is already mockExec
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-    const refSpec = ['refspec1', 'refspec2']
-    const options = {
-      filter: 'filterValue',
-      fetchDepth: 42,
-      showProgress: true
-    }
-
-    await git.fetch(refSpec, options)
-
-    expect(mockExec).toHaveBeenCalledWith(
-      expect.any(String),
-      [
-        '-c',
-        'protocol.version=2',
-        'fetch',
-        '--no-tags',
-        '--prune',
-        '--no-recurse-submodules',
-        '--progress',
-        '--filter=filterValue',
-        '--depth=42',
-        'origin',
-        'refspec1',
-        'refspec2'
-      ],
-      expect.any(Object)
-    )
-  })
-
-  it('should call execGit with the correct arguments when showProgress is true and refSpec includes tags', async () => {
-    // exec.exec is already mockExec
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
-    const options = {
-      filter: 'filterValue',
-      showProgress: true
-    }
-
-    await git.fetch(refSpec, options)
-
-    expect(mockExec).toHaveBeenCalledWith(
-      expect.any(String),
-      [
-        '-c',
-        'protocol.version=2',
-        'fetch',
-        '--no-tags',
-        '--prune',
-        '--no-recurse-submodules',
-        '--progress',
-        '--filter=filterValue',
-        'origin',
-        'refspec1',
-        'refspec2',
-        '+refs/tags/*:refs/tags/*'
-      ],
-      expect.any(Object)
-    )
-  })
-})
-
-describe('repository initialization object format', () => {
-  beforeEach(async () => {
-    mockFileExistsSync.mockReset()
-    mockDirectoryExistsSync.mockReset()
-  })
-
-  afterEach(() => {
-    jest.clearAllMocks()
-  })
-
-  it('initializes SHA-256 repositories with the matching object format', async () => {
-    mockExec.mockImplementation((path: any, args: any, options: any) => {
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('git version 2.50.1'))
-      }
-
-      return 0
-    })
-    // exec.exec is already mockExec
-
-    git = await commandManager.createCommandManager('test', false, false)
-
-    await git.init('sha256')
-
-    expect(mockExec).toHaveBeenCalledWith(
-      expect.any(String),
-      ['init', '--object-format=sha256', 'test'],
-      expect.any(Object)
-    )
-  })
-
-  it('initializes SHA-1 repositories with existing default arguments', async () => {
-    mockExec.mockImplementation((path: any, args: any, options: any) => {
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('git version 2.50.1'))
-      }
-
-      return 0
-    })
-    // exec.exec is already mockExec
-
-    git = await commandManager.createCommandManager('test', false, false)
-
-    await git.init('sha1')
-
-    expect(mockExec).toHaveBeenCalledWith(
-      expect.any(String),
-      ['init', 'test'],
-      expect.any(Object)
-    )
-  })
-})
-
-describe('git user-agent with orchestration ID', () => {
-  beforeEach(async () => {
-    mockFileExistsSync.mockReset()
-    mockDirectoryExistsSync.mockReset()
-  })
-
-  afterEach(() => {
-    jest.clearAllMocks()
-    // Clean up environment variable to prevent test pollution
-    delete process.env['ACTIONS_ORCHESTRATION_ID']
-  })
-
-  it('should include orchestration ID in user-agent when ACTIONS_ORCHESTRATION_ID is set', async () => {
-    const orchId = 'test-orch-id-12345'
-    process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
-
-    let capturedEnv: any = null
-    mockExec.mockImplementation((path: any, args: any, options: any) => {
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('2.18'))
-      }
-      // Capture env on any command
-      capturedEnv = options.env
-      return 0
-    })
-    // exec.exec is already mockExec
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-
-    // Call a git command to trigger env capture after user-agent is set
-    await git.init()
-
-    // Verify the user agent includes the orchestration ID
-    expect(git).toBeDefined()
-    expect(capturedEnv).toBeDefined()
-    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
-      `git/2.18 (github-actions-checkout) actions_orchestration_id/${orchId}`
-    )
-  })
-
-  it('should sanitize invalid characters in orchestration ID', async () => {
-    const orchId = 'test (with) special/chars'
-    process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
-
-    let capturedEnv: any = null
-    mockExec.mockImplementation((path: any, args: any, options: any) => {
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('2.18'))
-      }
-      // Capture env on any command
-      capturedEnv = options.env
-      return 0
-    })
-    // exec.exec is already mockExec
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-
-    // Call a git command to trigger env capture after user-agent is set
-    await git.init()
-
-    // Verify the user agent has sanitized orchestration ID (spaces, parentheses, slash replaced)
-    expect(git).toBeDefined()
-    expect(capturedEnv).toBeDefined()
-    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
-      'git/2.18 (github-actions-checkout) actions_orchestration_id/test__with__special_chars'
-    )
-  })
-
-  it('should not modify user-agent when ACTIONS_ORCHESTRATION_ID is not set', async () => {
-    delete process.env['ACTIONS_ORCHESTRATION_ID']
-
-    let capturedEnv: any = null
-    mockExec.mockImplementation((path: any, args: any, options: any) => {
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('2.18'))
-      }
-      // Capture env on any command
-      capturedEnv = options.env
-      return 0
-    })
-    // exec.exec is already mockExec
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-
-    // Call a git command to trigger env capture after user-agent is set
-    await git.init()
-
-    // Verify the user agent does NOT contain orchestration ID
-    expect(git).toBeDefined()
-    expect(capturedEnv).toBeDefined()
-    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
-      'git/2.18 (github-actions-checkout)'
-    )
-  })
-})

__test__/git-directory-helper.test.ts

@@ -1,36 +1,9 @@
-import {
-  jest,
-  describe,
-  it,
-  expect,
-  beforeAll,
-  beforeEach,
-  afterEach
-} from '@jest/globals'
+import * as core from '@actions/core'
 import * as fs from 'fs'
+import * as gitDirectoryHelper from '../lib/git-directory-helper'
 import * as io from '@actions/io'
 import * as path from 'path'
-import {fileURLToPath} from 'url'
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url))
-
-// Mock @actions/core before loading git-directory-helper
-jest.unstable_mockModule('@actions/core', () => ({
-  error: jest.fn(),
-  warning: jest.fn(),
-  info: jest.fn(),
-  debug: jest.fn(),
-  setFailed: jest.fn(),
-  startGroup: jest.fn(),
-  endGroup: jest.fn()
-}))
-
-// Dynamic imports after mocking
-const core = await import('@actions/core')
-const gitDirectoryHelper = await import('../src/git-directory-helper.js')
-
-type IGitCommandManager =
-  import('../src/git-command-manager.js').IGitCommandManager
+import {IGitCommandManager} from '../lib/git-command-manager'
 
 const testWorkspace = path.join(__dirname, '_temp', 'git-directory-helper')
 let repositoryPath: string
@@ -46,11 +19,16 @@ describe('git-directory-helper tests', () => {
   })
 
   beforeEach(() => {
-    jest.clearAllMocks()
+    // Mock error/warning/info/debug
+    jest.spyOn(core, 'error').mockImplementation(jest.fn())
+    jest.spyOn(core, 'warning').mockImplementation(jest.fn())
+    jest.spyOn(core, 'info').mockImplementation(jest.fn())
+    jest.spyOn(core, 'debug').mockImplementation(jest.fn())
   })
 
   afterEach(() => {
-    jest.clearAllMocks()
+    // Unregister mocks
+    jest.restoreAllMocks()
   })
 
   const cleansWhenCleanTrue = 'cleans when clean true'
@@ -103,7 +81,7 @@ describe('git-directory-helper tests', () => {
     // Arrange
     await setup(doesNotCheckoutDetachWhenNotAlreadyDetached)
     await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
-    const mockIsDetached = git.isDetached as jest.Mock<any>
+    const mockIsDetached = git.isDetached as jest.Mock<any, any>
     mockIsDetached.mockImplementation(async () => {
       return true
     })
@@ -154,7 +132,7 @@ describe('git-directory-helper tests', () => {
     // Arrange
     await setup(removesContentsWhenCleanFails)
     await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
-    let mockTryClean = git.tryClean as jest.Mock<any>
+    let mockTryClean = git.tryClean as jest.Mock<any, any>
     mockTryClean.mockImplementation(async () => {
       return false
     })
@@ -232,7 +210,7 @@ describe('git-directory-helper tests', () => {
     // Arrange
     await setup(removesContentsWhenResetFails)
     await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
-    let mockTryReset = git.tryReset as jest.Mock<any>
+    let mockTryReset = git.tryReset as jest.Mock<any, any>
     mockTryReset.mockImplementation(async () => {
       return false
     })
@@ -282,7 +260,7 @@ describe('git-directory-helper tests', () => {
     // Arrange
     await setup(removesLocalBranches)
     await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
-    const mockBranchList = git.branchList as jest.Mock<any>
+    const mockBranchList = git.branchList as jest.Mock<any, any>
     mockBranchList.mockImplementation(async (remote: boolean) => {
       return remote ? [] : ['local-branch-1', 'local-branch-2']
     })
@@ -303,65 +281,6 @@ describe('git-directory-helper tests', () => {
     expect(git.branchDelete).toHaveBeenCalledWith(false, 'local-branch-2')
   })
 
-  const cleanWhenSubmoduleStatusIsFalse =
-    'cleans when submodule status is false'
-
-  it(cleanWhenSubmoduleStatusIsFalse, async () => {
-    // Arrange
-    await setup(cleanWhenSubmoduleStatusIsFalse)
-    await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
-
-    //mock bad submodule
-
-    const submoduleStatus = git.submoduleStatus as jest.Mock<any>
-    submoduleStatus.mockImplementation(async (remote: boolean) => {
-      return false
-    })
-
-    // Act
-    await gitDirectoryHelper.prepareExistingDirectory(
-      git,
-      repositoryPath,
-      repositoryUrl,
-      clean,
-      ref
-    )
-
-    // Assert
-    const files = await fs.promises.readdir(repositoryPath)
-    expect(files).toHaveLength(0)
-    expect(git.tryClean).toHaveBeenCalled()
-  })
-
-  const doesNotCleanWhenSubmoduleStatusIsTrue =
-    'does not clean when submodule status is true'
-
-  it(doesNotCleanWhenSubmoduleStatusIsTrue, async () => {
-    // Arrange
-    await setup(doesNotCleanWhenSubmoduleStatusIsTrue)
-    await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
-
-    const submoduleStatus = git.submoduleStatus as jest.Mock<any>
-    submoduleStatus.mockImplementation(async (remote: boolean) => {
-      return true
-    })
-
-    // Act
-    await gitDirectoryHelper.prepareExistingDirectory(
-      git,
-      repositoryPath,
-      repositoryUrl,
-      clean,
-      ref
-    )
-
-    // Assert
-
-    const files = await fs.promises.readdir(repositoryPath)
-    expect(files.sort()).toEqual(['.git', 'my-file'])
-    expect(git.tryClean).toHaveBeenCalled()
-  })
-
   const removesLockFiles = 'removes lock files'
   it(removesLockFiles, async () => {
     // Arrange
@@ -403,7 +322,7 @@ describe('git-directory-helper tests', () => {
     // Arrange
     await setup(removesAncestorRemoteBranch)
     await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
-    const mockBranchList = git.branchList as jest.Mock<any>
+    const mockBranchList = git.branchList as jest.Mock<any, any>
     mockBranchList.mockImplementation(async (remote: boolean) => {
       return remote ? ['origin/remote-branch-1', 'origin/remote-branch-2'] : []
     })
@@ -433,7 +352,7 @@ describe('git-directory-helper tests', () => {
     // Arrange
     await setup(removesDescendantRemoteBranches)
     await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
-    const mockBranchList = git.branchList as jest.Mock<any>
+    const mockBranchList = git.branchList as jest.Mock<any, any>
     mockBranchList.mockImplementation(async (remote: boolean) => {
       return remote
         ? ['origin/remote-branch-1/conflict', 'origin/remote-branch-2']
@@ -484,16 +403,12 @@ async function setup(testName: string): Promise<void> {
     branchList: jest.fn(async () => {
       return []
     }),
-    disableSparseCheckout: jest.fn(),
-    sparseCheckout: jest.fn(),
-    sparseCheckoutNonConeMode: jest.fn(),
     checkout: jest.fn(),
     checkoutDetach: jest.fn(),
     config: jest.fn(),
     configExists: jest.fn(),
     fetch: jest.fn(),
     getDefaultBranch: jest.fn(),
-    getSubmoduleConfigPaths: jest.fn(async () => []),
     getWorkingDirectory: jest.fn(() => repositoryPath),
     init: jest.fn(),
     isDetached: jest.fn(),
@@ -508,26 +423,19 @@ async function setup(testName: string): Promise<void> {
     submoduleForeach: jest.fn(),
     submoduleSync: jest.fn(),
     submoduleUpdate: jest.fn(),
-    submoduleStatus: jest.fn(async () => {
-      return true
-    }),
     tagExists: jest.fn(),
     tryClean: jest.fn(async () => {
       return true
     }),
     tryConfigUnset: jest.fn(),
-    tryConfigUnsetValue: jest.fn(),
     tryDisableAutomaticGarbageCollection: jest.fn(),
     tryGetFetchUrl: jest.fn(async () => {
       // Sanity check - this function shouldn't be called when the .git directory doesn't exist
       await fs.promises.stat(path.join(repositoryPath, '.git'))
       return repositoryUrl
     }),
-    tryGetConfigValues: jest.fn(),
-    tryGetConfigKeys: jest.fn(),
     tryReset: jest.fn(async () => {
       return true
-    }),
-    version: jest.fn()
-  } as unknown as IGitCommandManager
+    })
+  }
 }

__test__/git-version.test.ts

@@ -1,6 +1,4 @@
-import {describe, it, expect} from '@jest/globals'
-import {GitVersion} from '../src/git-version.js'
-import {MinimumGitSparseCheckoutVersion} from '../src/git-command-manager.js'
+import {GitVersion} from '../lib/git-version'
 
 describe('git-version tests', () => {
   it('basics', async () => {
@@ -44,44 +42,4 @@ describe('git-version tests', () => {
     expect(version.checkMinimum(new GitVersion('5.1'))).toBeFalsy()
     expect(version.checkMinimum(new GitVersion('5.1.2'))).toBeFalsy()
   })
-
-  it('sparse checkout', async () => {
-    const minSparseVer = MinimumGitSparseCheckoutVersion
-    expect(new GitVersion('1.0').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('1.99').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('2.0').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('2.24').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('2.24.0').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('2.24.9').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('2.25').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('2.25.0').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('2.25.1').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('2.25.9').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('2.26').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('2.26.0').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('2.26.1').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('2.26.9').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('2.27').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('2.27.0').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('2.27.1').checkMinimum(minSparseVer)).toBeFalsy()
-    expect(new GitVersion('2.27.9').checkMinimum(minSparseVer)).toBeFalsy()
-    //                             /---------------------------------------
-    //         ^^^ before         /         after vvv
-    // --------------------------/
-    expect(new GitVersion('2.28').checkMinimum(minSparseVer)).toBeTruthy()
-    expect(new GitVersion('2.28.0').checkMinimum(minSparseVer)).toBeTruthy()
-    expect(new GitVersion('2.28.1').checkMinimum(minSparseVer)).toBeTruthy()
-    expect(new GitVersion('2.28.9').checkMinimum(minSparseVer)).toBeTruthy()
-    expect(new GitVersion('2.29').checkMinimum(minSparseVer)).toBeTruthy()
-    expect(new GitVersion('2.29.0').checkMinimum(minSparseVer)).toBeTruthy()
-    expect(new GitVersion('2.29.1').checkMinimum(minSparseVer)).toBeTruthy()
-    expect(new GitVersion('2.29.9').checkMinimum(minSparseVer)).toBeTruthy()
-    expect(new GitVersion('2.99').checkMinimum(minSparseVer)).toBeTruthy()
-    expect(new GitVersion('3.0').checkMinimum(minSparseVer)).toBeTruthy()
-    expect(new GitVersion('3.99').checkMinimum(minSparseVer)).toBeTruthy()
-    expect(new GitVersion('4.0').checkMinimum(minSparseVer)).toBeTruthy()
-    expect(new GitVersion('4.99').checkMinimum(minSparseVer)).toBeTruthy()
-    expect(new GitVersion('5.0').checkMinimum(minSparseVer)).toBeTruthy()
-    expect(new GitVersion('5.99').checkMinimum(minSparseVer)).toBeTruthy()
-  })
 })

__test__/github-api-helper.test.ts

@@ -1,112 +0,0 @@
-import {jest, describe, it, expect, beforeEach, afterEach} from '@jest/globals'
-
-// Mock @actions/core
-const mockDebug = jest.fn()
-jest.unstable_mockModule('@actions/core', () => ({
-  debug: mockDebug,
-  info: jest.fn(),
-  warning: jest.fn(),
-  error: jest.fn()
-}))
-
-// Mock @actions/github
-const mockGetOctokit = jest.fn()
-jest.unstable_mockModule('@actions/github', () => ({
-  getOctokit: mockGetOctokit
-}))
-
-// Dynamic imports after mocking
-const githubApiHelper = await import('../src/github-api-helper.js')
-
-describe('github-api-helper object format', () => {
-  let request: jest.Mock<any>
-
-  function mockHashAlgorithmApi(hashAlgorithm: string): void {
-    request = jest.fn(async () => ({
-      data: {
-        hash_algorithm: hashAlgorithm
-      }
-    }))
-    mockGetOctokit.mockReturnValue({
-      request
-    } as any)
-  }
-
-  beforeEach(() => {
-    mockDebug.mockClear()
-    mockGetOctokit.mockClear()
-  })
-
-  afterEach(() => {
-    jest.clearAllMocks()
-  })
-
-  it('detects SHA-256 from the repository hash algorithm endpoint', async () => {
-    mockHashAlgorithmApi('sha256')
-
-    await expect(
-      githubApiHelper.tryGetRepositoryObjectFormat('token', 'owner', 'repo')
-    ).resolves.toEqual({format: 'sha256', succeeded: true})
-
-    expect(mockGetOctokit).toHaveBeenCalledWith(
-      'token',
-      expect.objectContaining({baseUrl: 'https://api.github.com'})
-    )
-    expect(request).toHaveBeenCalledWith(
-      'GET /repos/{owner}/{repo}/hash-algorithm',
-      {owner: 'owner', repo: 'repo'}
-    )
-  })
-
-  it('detects SHA-1 from the repository hash algorithm endpoint', async () => {
-    mockHashAlgorithmApi('sha1')
-
-    await expect(
-      githubApiHelper.tryGetRepositoryObjectFormat('token', 'owner', 'repo')
-    ).resolves.toEqual({format: 'sha1', succeeded: true})
-  })
-
-  it('detects object format from an existing commit without API calls', async () => {
-    const commitSha =
-      '9422233ca7ee1b17f1e905d0e141faf0c401556c41cdc6acd71c6bd685da2e92'
-
-    await expect(
-      githubApiHelper.tryGetRepositoryObjectFormat(
-        'token',
-        'owner',
-        'repo',
-        undefined,
-        commitSha
-      )
-    ).resolves.toEqual({format: 'sha256', succeeded: true})
-
-    expect(mockGetOctokit).not.toHaveBeenCalled()
-  })
-
-  it('returns unsuccessful when the hash algorithm endpoint value is not recognized', async () => {
-    mockHashAlgorithmApi('unknown')
-
-    await expect(
-      githubApiHelper.tryGetRepositoryObjectFormat('token', 'owner', 'repo')
-    ).resolves.toEqual({format: '', succeeded: false})
-    expect(mockDebug).toHaveBeenCalledWith(
-      'Unable to determine repository object format from hash-algorithm endpoint'
-    )
-  })
-
-  it('returns unsuccessful when the hash algorithm API lookup fails', async () => {
-    request = jest.fn(async () => {
-      throw new Error('not found')
-    })
-    mockGetOctokit.mockReturnValue({
-      request
-    } as any)
-
-    await expect(
-      githubApiHelper.tryGetRepositoryObjectFormat('token', 'owner', 'repo')
-    ).resolves.toEqual({format: '', succeeded: false})
-    expect(mockDebug).toHaveBeenCalledWith(
-      'Unable to determine repository object format from hash-algorithm endpoint: not found'
-    )
-  })
-})

__test__/input-helper.test.ts

@@ -1,13 +1,10 @@
-import {
-  jest,
-  describe,
-  it,
-  expect,
-  beforeAll,
-  beforeEach,
-  afterAll
-} from '@jest/globals'
+import * as core from '@actions/core'
+import * as fsHelper from '../lib/fs-helper'
+import * as github from '@actions/github'
+import * as inputHelper from '../lib/input-helper'
 import * as path from 'path'
+import * as workflowContextHelper from '../lib/workflow-context-helper'
+import {IGitSourceSettings} from '../lib/git-source-settings'
 
 const originalGitHubWorkspace = process.env['GITHUB_WORKSPACE']
 const gitHubWorkspace = path.resolve('/checkout-tests/workspace')
@@ -15,58 +12,42 @@ const gitHubWorkspace = path.resolve('/checkout-tests/workspace')
 // Inputs for mock @actions/core
 let inputs = {} as any
 
-// Mutable mock github context
-const mockGithubContext: any = {
-  ref: 'refs/heads/some-ref',
-  sha: '1234567890123456789012345678901234567890',
-  repo: {owner: 'some-owner', repo: 'some-repo'},
-  eventName: '',
-  payload: {}
-}
-
-// Mock @actions/core before loading input-helper
-jest.unstable_mockModule('@actions/core', () => ({
-  getInput: jest.fn((name: string) => inputs[name]),
-  getBooleanInput: jest.fn((name: string) => inputs[name]),
-  getMultilineInput: jest.fn((name: string) =>
-    inputs[name] ? String(inputs[name]).split('\n').filter(Boolean) : []
-  ),
-  error: jest.fn(),
-  warning: jest.fn(),
-  info: jest.fn(),
-  debug: jest.fn(),
-  setFailed: jest.fn(),
-  setOutput: jest.fn(),
-  setSecret: jest.fn()
-}))
-
-// Mock @actions/github before loading input-helper
-jest.unstable_mockModule('@actions/github', () => ({
-  context: mockGithubContext,
-  getOctokit: jest.fn()
-}))
-
-// Mock fs-helper
-const mockDirectoryExistsSync = jest.fn((p: string) => p === gitHubWorkspace)
-jest.unstable_mockModule('../src/fs-helper.js', () => ({
-  directoryExistsSync: mockDirectoryExistsSync,
-  fileExistsSync: jest.fn()
-}))
-
-// Mock workflow-context-helper
-const mockGetOrganizationId = jest.fn(async () => 123456)
-jest.unstable_mockModule('../src/workflow-context-helper.js', () => ({
-  getOrganizationId: mockGetOrganizationId
-}))
-
-// Dynamic imports after mocking
-const core = await import('@actions/core')
-const inputHelper = await import('../src/input-helper.js')
-type IGitSourceSettings =
-  import('../src/git-source-settings.js').IGitSourceSettings
+// Shallow clone original @actions/github context
+let originalContext = {...github.context}
 
 describe('input-helper tests', () => {
   beforeAll(() => {
+    // Mock getInput
+    jest.spyOn(core, 'getInput').mockImplementation((name: string) => {
+      return inputs[name]
+    })
+
+    // Mock error/warning/info/debug
+    jest.spyOn(core, 'error').mockImplementation(jest.fn())
+    jest.spyOn(core, 'warning').mockImplementation(jest.fn())
+    jest.spyOn(core, 'info').mockImplementation(jest.fn())
+    jest.spyOn(core, 'debug').mockImplementation(jest.fn())
+
+    // Mock github context
+    jest.spyOn(github.context, 'repo', 'get').mockImplementation(() => {
+      return {
+        owner: 'some-owner',
+        repo: 'some-repo'
+      }
+    })
+    github.context.ref = 'refs/heads/some-ref'
+    github.context.sha = '1234567890123456789012345678901234567890'
+
+    // Mock ./fs-helper directoryExistsSync()
+    jest
+      .spyOn(fsHelper, 'directoryExistsSync')
+      .mockImplementation((path: string) => path == gitHubWorkspace)
+
+    // Mock ./workflowContextHelper getOrganizationId()
+    jest
+      .spyOn(workflowContextHelper, 'getOrganizationId')
+      .mockImplementation(() => Promise.resolve(123456))
+
     // GitHub workspace
     process.env['GITHUB_WORKSPACE'] = gitHubWorkspace
   })
@@ -74,15 +55,6 @@ describe('input-helper tests', () => {
   beforeEach(() => {
     // Reset inputs
     inputs = {}
-    jest.clearAllMocks()
-    // Re-apply default mocks
-    ;(core.getInput as jest.Mock<any>).mockImplementation(
-      (name: string) => inputs[name]
-    )
-    mockDirectoryExistsSync.mockImplementation(
-      (p: string) => p === gitHubWorkspace
-    )
-    mockGetOrganizationId.mockResolvedValue(123456)
   })
 
   afterAll(() => {
@@ -93,8 +65,11 @@ describe('input-helper tests', () => {
     }
 
     // Restore @actions/github context
-    mockGithubContext.ref = 'refs/heads/some-ref'
-    mockGithubContext.sha = '1234567890123456789012345678901234567890'
+    github.context.ref = originalContext.ref
+    github.context.sha = originalContext.sha
+
+    // Restore
+    jest.restoreAllMocks()
   })
 
   it('sets defaults', async () => {
@@ -104,31 +79,25 @@ describe('input-helper tests', () => {
     expect(settings.clean).toBe(true)
     expect(settings.commit).toBeTruthy()
     expect(settings.commit).toBe('1234567890123456789012345678901234567890')
-    expect(settings.filter).toBe(undefined)
-    expect(settings.sparseCheckout).toBe(undefined)
-    expect(settings.sparseCheckoutConeMode).toBe(true)
     expect(settings.fetchDepth).toBe(1)
-    expect(settings.fetchTags).toBe(false)
-    expect(settings.showProgress).toBe(true)
     expect(settings.lfs).toBe(false)
     expect(settings.ref).toBe('refs/heads/some-ref')
     expect(settings.repositoryName).toBe('some-repo')
     expect(settings.repositoryOwner).toBe('some-owner')
     expect(settings.repositoryPath).toBe(gitHubWorkspace)
     expect(settings.setSafeDirectory).toBe(true)
-    expect(settings.allowUnsafePrCheckout).toBe(false)
   })
 
   it('qualifies ref', async () => {
-    let originalRef = mockGithubContext.ref
+    let originalRef = github.context.ref
     try {
-      mockGithubContext.ref = 'some-unqualified-ref'
+      github.context.ref = 'some-unqualified-ref'
       const settings: IGitSourceSettings = await inputHelper.getInputs()
       expect(settings).toBeTruthy()
       expect(settings.commit).toBe('1234567890123456789012345678901234567890')
       expect(settings.ref).toBe('refs/heads/some-unqualified-ref')
     } finally {
-      mockGithubContext.ref = originalRef
+      github.context.ref = originalRef
     }
   })
 
@@ -159,16 +128,6 @@ describe('input-helper tests', () => {
     expect(settings.commit).toBe('1111111111222222222233333333334444444444')
   })
 
-  it('sets ref to empty when explicit sha-256', async () => {
-    inputs.ref =
-      '1111111111222222222233333333334444444444555555555566666666667777'
-    const settings: IGitSourceSettings = await inputHelper.getInputs()
-    expect(settings.ref).toBeFalsy()
-    expect(settings.commit).toBe(
-      '1111111111222222222233333333334444444444555555555566666666667777'
-    )
-  })
-
   it('sets sha to empty when explicit ref', async () => {
     inputs.ref = 'refs/heads/some-other-ref'
     const settings: IGitSourceSettings = await inputHelper.getInputs()

__test__/ref-helper.test.ts

@@ -1,50 +1,17 @@
-import {jest, describe, it, expect, beforeEach, afterEach} from '@jest/globals'
 import * as assert from 'assert'
-
-// Mutable mock github context
-const mockGithubContext: any = {
-  eventName: '',
-  payload: {},
-  repo: {owner: 'some-owner', repo: 'some-repo'},
-  ref: '',
-  sha: ''
-}
-
-// Mock @actions/core
-const mockDebug = jest.fn()
-jest.unstable_mockModule('@actions/core', () => ({
-  debug: mockDebug,
-  info: jest.fn(),
-  warning: jest.fn(),
-  error: jest.fn(),
-  setFailed: jest.fn()
-}))
-
-// Mock @actions/github
-const mockGetOctokit = jest.fn()
-jest.unstable_mockModule('@actions/github', () => ({
-  context: mockGithubContext,
-  getOctokit: mockGetOctokit
-}))
-
-// Dynamic imports after mocking
-const refHelper = await import('../src/ref-helper.js')
-type IGitCommandManager =
-  import('../src/git-command-manager.js').IGitCommandManager
+import * as refHelper from '../lib/ref-helper'
+import {IGitCommandManager} from '../lib/git-command-manager'
 
 const commit = '1234567890123456789012345678901234567890'
-const sha256Commit =
-  '1234567890123456789012345678901234567890123456789012345678901234'
 let git: IGitCommandManager
 
 describe('ref-helper tests', () => {
   beforeEach(() => {
-    git = {} as unknown as IGitCommandManager
-    jest.clearAllMocks()
+    git = ({} as unknown) as IGitCommandManager
   })
 
   it('getCheckoutInfo requires git', async () => {
-    const git = null as unknown as IGitCommandManager
+    const git = (null as unknown) as IGitCommandManager
     try {
       await refHelper.getCheckoutInfo(git, 'refs/heads/my/branch', commit)
       throw new Error('Should not reach here')
@@ -70,12 +37,6 @@ describe('ref-helper tests', () => {
     expect(checkoutInfo.startPoint).toBeFalsy()
   })
 
-  it('getCheckoutInfo sha-256 only', async () => {
-    const checkoutInfo = await refHelper.getCheckoutInfo(git, '', sha256Commit)
-    expect(checkoutInfo.ref).toBe(sha256Commit)
-    expect(checkoutInfo.startPoint).toBeFalsy()
-  })
-
   it('getCheckoutInfo refs/heads/', async () => {
     const checkoutInfo = await refHelper.getCheckoutInfo(
       git,
@@ -106,26 +67,6 @@ describe('ref-helper tests', () => {
     expect(checkoutInfo.startPoint).toBeFalsy()
   })
 
-  it('getCheckoutInfo refs/', async () => {
-    const checkoutInfo = await refHelper.getCheckoutInfo(
-      git,
-      'refs/gh/queue/main/pr-123',
-      commit
-    )
-    expect(checkoutInfo.ref).toBe(commit)
-    expect(checkoutInfo.startPoint).toBeFalsy()
-  })
-
-  it('getCheckoutInfo refs/ without commit', async () => {
-    const checkoutInfo = await refHelper.getCheckoutInfo(
-      git,
-      'refs/non-standard-ref',
-      ''
-    )
-    expect(checkoutInfo.ref).toBe('refs/non-standard-ref')
-    expect(checkoutInfo.startPoint).toBeFalsy()
-  })
-
   it('getCheckoutInfo unqualified branch only', async () => {
     git.branchExists = jest.fn(async (remote: boolean, pattern: string) => {
       return true
@@ -191,20 +132,7 @@ describe('ref-helper tests', () => {
   it('getRefSpec sha + refs/tags/', async () => {
     const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit)
     expect(refSpec.length).toBe(1)
-    expect(refSpec[0]).toBe(`+refs/tags/my-tag:refs/tags/my-tag`)
-  })
-
-  it('getRefSpec sha + refs/tags/ with fetchTags', async () => {
-    const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit, true)
-    expect(refSpec.length).toBe(1)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-  })
-
-  it('getRefSpec sha + refs/heads/ with fetchTags', async () => {
-    const refSpec = refHelper.getRefSpec('refs/heads/my/branch', commit, true)
-    expect(refSpec.length).toBe(2)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-    expect(refSpec[1]).toBe(`+${commit}:refs/remotes/origin/my/branch`)
+    expect(refSpec[0]).toBe(`+${commit}:refs/tags/my-tag`)
   })
 
   it('getRefSpec sha only', async () => {
@@ -220,13 +148,6 @@ describe('ref-helper tests', () => {
     expect(refSpec[1]).toBe('+refs/tags/my-ref*:refs/tags/my-ref*')
   })
 
-  it('getRefSpec unqualified ref only with fetchTags', async () => {
-    const refSpec = refHelper.getRefSpec('my-ref', '', true)
-    expect(refSpec.length).toBe(2)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-    expect(refSpec[1]).toBe('+refs/heads/my-ref*:refs/remotes/origin/my-ref*')
-  })
-
   it('getRefSpec refs/heads/ only', async () => {
     const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '')
     expect(refSpec.length).toBe(1)
@@ -246,155 +167,4 @@ describe('ref-helper tests', () => {
     expect(refSpec.length).toBe(1)
     expect(refSpec[0]).toBe('+refs/tags/my-tag:refs/tags/my-tag')
   })
-
-  it('getRefSpec refs/tags/ only with fetchTags', async () => {
-    const refSpec = refHelper.getRefSpec('refs/tags/my-tag', '', true)
-    expect(refSpec.length).toBe(1)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-  })
-
-  it('getRefSpec refs/heads/ only with fetchTags', async () => {
-    const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '', true)
-    expect(refSpec.length).toBe(2)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-    expect(refSpec[1]).toBe(
-      '+refs/heads/my/branch:refs/remotes/origin/my/branch'
-    )
-  })
-
-  describe('checkCommitInfo', () => {
-    const repositoryOwner = 'some-owner'
-    const repositoryName = 'some-repo'
-    const ref = 'refs/pull/123/merge'
-    const sha1Head = '1111111111222222222233333333334444444444'
-    const sha1Base = 'aaaaaaaaaabbbbbbbbbbccccccccccdddddddddd'
-    const sha256Head =
-      '1111111111222222222233333333334444444444555555555566666666667777'
-    const sha256Base =
-      'aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffff0000'
-    let repoGetSpy: jest.Mock<any>
-    let originalEventName: string
-    let originalPayload: unknown
-    let originalRef: string
-    let originalSha: string
-
-    function setPullRequestContext(
-      expectedHeadSha: string,
-      expectedBaseSha: string,
-      mergeCommit: string
-    ): void {
-      mockGithubContext.eventName = 'pull_request'
-      mockGithubContext.ref = ref
-      mockGithubContext.sha = mergeCommit
-      mockGithubContext.payload = {
-        action: 'synchronize',
-        after: expectedHeadSha,
-        number: 123,
-        pull_request: {
-          base: {
-            sha: expectedBaseSha
-          }
-        },
-        repository: {
-          private: false
-        }
-      }
-    }
-
-    beforeEach(() => {
-      originalEventName = mockGithubContext.eventName
-      originalPayload = mockGithubContext.payload
-      originalRef = mockGithubContext.ref
-      originalSha = mockGithubContext.sha
-
-      mockGithubContext.repo = {
-        owner: repositoryOwner,
-        repo: repositoryName
-      }
-
-      repoGetSpy = jest.fn(async () => ({}))
-      mockGetOctokit.mockReturnValue({
-        rest: {
-          repos: {
-            get: repoGetSpy
-          }
-        }
-      } as any)
-    })
-
-    afterEach(() => {
-      mockGithubContext.eventName = originalEventName
-      mockGithubContext.payload = originalPayload
-      mockGithubContext.ref = originalRef
-      mockGithubContext.sha = originalSha
-      jest.clearAllMocks()
-    })
-
-    it('returns early for SHA-1 merge commit', async () => {
-      setPullRequestContext(sha1Head, sha1Base, commit)
-
-      await refHelper.checkCommitInfo(
-        'token',
-        `Merge ${sha1Head} into ${sha1Base}`,
-        repositoryOwner,
-        repositoryName,
-        ref,
-        commit
-      )
-
-      expect(mockGetOctokit).not.toHaveBeenCalled()
-      expect(repoGetSpy).not.toHaveBeenCalled()
-    })
-
-    it('matches SHA-256 merge commit info', async () => {
-      const actualHeadSha =
-        '9999999999888888888877777777776666666666555555555544444444443333'
-      setPullRequestContext(sha256Head, sha256Base, sha256Commit)
-
-      await refHelper.checkCommitInfo(
-        'token',
-        `Merge ${actualHeadSha} into ${sha256Base}`,
-        repositoryOwner,
-        repositoryName,
-        ref,
-        sha256Commit
-      )
-
-      expect(mockGetOctokit).toHaveBeenCalledWith(
-        'token',
-        expect.objectContaining({
-          userAgent: expect.stringContaining(
-            `expected_head_sha=${sha256Head};actual_head_sha=${actualHeadSha}`
-          )
-        })
-      )
-      expect(repoGetSpy).toHaveBeenCalledWith({
-        owner: repositoryOwner,
-        repo: repositoryName
-      })
-      expect(mockDebug).toHaveBeenCalledWith(
-        `Expected head sha ${sha256Head}; actual head sha ${actualHeadSha}`
-      )
-      expect(mockDebug).not.toHaveBeenCalledWith('Unexpected message format')
-    })
-
-    it('does not match 50-char hex as a valid merge', async () => {
-      const invalidHeadSha =
-        '99999999998888888888777777777766666666665555555555'
-      setPullRequestContext(sha1Head, sha1Base, commit)
-
-      await refHelper.checkCommitInfo(
-        'token',
-        `Merge ${invalidHeadSha} into ${sha1Base}`,
-        repositoryOwner,
-        repositoryName,
-        ref,
-        commit
-      )
-
-      expect(mockGetOctokit).not.toHaveBeenCalled()
-      expect(repoGetSpy).not.toHaveBeenCalled()
-      expect(mockDebug).toHaveBeenCalledWith('Unexpected message format')
-    })
-  })
 })

__test__/retry-helper.test.ts

@@ -1,32 +1,16 @@
-import {
-  jest,
-  describe,
-  it,
-  expect,
-  beforeAll,
-  beforeEach,
-  afterAll
-} from '@jest/globals'
-
-let info: string[] = []
-
-// Mock @actions/core before loading retry-helper
-jest.unstable_mockModule('@actions/core', () => ({
-  info: jest.fn((message: string) => {
-    info.push(message)
-  }),
-  debug: jest.fn(),
-  warning: jest.fn(),
-  error: jest.fn()
-}))
-
-// Dynamic imports after mocking
-const {RetryHelper} = await import('../src/retry-helper.js')
+import * as core from '@actions/core'
+import {RetryHelper} from '../lib/retry-helper'
 
+let info: string[]
 let retryHelper: any
 
 describe('retry-helper tests', () => {
   beforeAll(() => {
+    // Mock @actions/core info()
+    jest.spyOn(core, 'info').mockImplementation((message: string) => {
+      info.push(message)
+    })
+
     retryHelper = new RetryHelper(3, 0, 0)
   })
 
@@ -36,6 +20,7 @@ describe('retry-helper tests', () => {
   })
 
   afterAll(() => {
+    // Restore
     jest.restoreAllMocks()
   })
 
@@ -83,7 +68,7 @@ describe('retry-helper tests', () => {
 
   it('all attempts fail succeeds', async () => {
     let attempts = 0
-    let error: Error = null as unknown as Error
+    let error: Error = (null as unknown) as Error
     try {
       await retryHelper.execute(() => {
         throw new Error(`some error ${++attempts}`)

__test__/unsafe-pr-checkout-helper.test.ts

@@ -1,284 +0,0 @@
-import {
-  jest,
-  describe,
-  it,
-  expect,
-  beforeAll,
-  afterEach,
-  afterAll
-} from '@jest/globals'
-
-const BASE_REPO_ID = 100
-const FORK_REPO_ID = 200
-const PR_HEAD_SHA = '1111111111111111111111111111111111111111'
-const PR_MERGE_SHA = '2222222222222222222222222222222222222222'
-const SAFE_BASE_SHA = '3333333333333333333333333333333333333333'
-const WORKFLOW_RUN_HEAD_COMMIT_SHA = '4444444444444444444444444444444444444444'
-const BASE_QUALIFIED_REPO = 'some-owner/some-repo'
-const FORK_QUALIFIED_REPO = 'another-repo/fork'
-
-// Mutable mock context
-const mockContext: any = {
-  eventName: '',
-  payload: {},
-  repo: {owner: 'some-owner', repo: 'some-repo'},
-  ref: '',
-  sha: ''
-}
-
-jest.unstable_mockModule('@actions/github', () => ({
-  context: mockContext
-}))
-
-// Dynamic imports after mocking
-const {assertSafePrCheckout} =
-  await import('../src/unsafe-pr-checkout-helper.js')
-
-const originalEventName = mockContext.eventName
-const originalPayload = mockContext.payload
-
-function setContext(eventName: string, payload: object): void {
-  mockContext.eventName = eventName
-  mockContext.payload = payload
-}
-
-function forkPullRequestTargetPayload(): object {
-  return {
-    repository: {id: BASE_REPO_ID},
-    pull_request: {
-      head: {
-        sha: PR_HEAD_SHA,
-        repo: {id: FORK_REPO_ID, full_name: FORK_QUALIFIED_REPO}
-      },
-      merge_commit_sha: PR_MERGE_SHA
-    }
-  }
-}
-
-function sameRepoPullRequestTargetPayload(): object {
-  return {
-    repository: {id: BASE_REPO_ID},
-    pull_request: {
-      head: {
-        sha: PR_HEAD_SHA,
-        repo: {id: BASE_REPO_ID, full_name: BASE_QUALIFIED_REPO}
-      },
-      merge_commit_sha: PR_MERGE_SHA
-    }
-  }
-}
-
-function forkWorkflowRunPayload(): object {
-  return {
-    repository: {id: BASE_REPO_ID},
-    workflow_run: {
-      event: 'pull_request',
-      head_commit: {id: WORKFLOW_RUN_HEAD_COMMIT_SHA},
-      head_repository: {id: FORK_REPO_ID, full_name: FORK_QUALIFIED_REPO}
-    }
-  }
-}
-
-describe('unsafe-pr-checkout-helper', () => {
-  beforeAll(() => {
-    mockContext.repo = {owner: 'some-owner', repo: 'some-repo'}
-  })
-
-  afterEach(() => {
-    mockContext.eventName = originalEventName
-    mockContext.payload = originalPayload
-  })
-
-  afterAll(() => {
-    mockContext.eventName = originalEventName
-    mockContext.payload = originalPayload
-  })
-
-  it('allows pull_request events untouched', () => {
-    setContext('pull_request', forkPullRequestTargetPayload())
-    expect(() =>
-      assertSafePrCheckout({
-        qualifiedRepository: 'attacker/fork',
-        ref: 'refs/pull/1/merge',
-        commit: '',
-        allowUnsafePrCheckout: false
-      })
-    ).not.toThrow()
-  })
-
-  it('allows pull_request_target default checkout (base branch)', () => {
-    setContext('pull_request_target', forkPullRequestTargetPayload())
-    expect(() =>
-      assertSafePrCheckout({
-        qualifiedRepository: BASE_QUALIFIED_REPO,
-        ref: 'refs/heads/main',
-        commit: SAFE_BASE_SHA,
-        allowUnsafePrCheckout: false
-      })
-    ).not.toThrow()
-  })
-
-  it('allows same-repo pull_request_target checkout of PR head', () => {
-    setContext('pull_request_target', sameRepoPullRequestTargetPayload())
-    expect(() =>
-      assertSafePrCheckout({
-        qualifiedRepository: BASE_QUALIFIED_REPO,
-        ref: '',
-        commit: PR_HEAD_SHA,
-        allowUnsafePrCheckout: false
-      })
-    ).not.toThrow()
-  })
-
-  it('refuses pull_request_target fork PR head SHA checkout', () => {
-    setContext('pull_request_target', forkPullRequestTargetPayload())
-    expect(() =>
-      assertSafePrCheckout({
-        qualifiedRepository: BASE_QUALIFIED_REPO,
-        ref: '',
-        commit: PR_HEAD_SHA,
-        allowUnsafePrCheckout: false
-      })
-    ).toThrow(/Refusing to check out fork pull request code/)
-  })
-
-  it('refuses pull_request_target fork PR merge_commit_sha checkout', () => {
-    setContext('pull_request_target', forkPullRequestTargetPayload())
-    expect(() =>
-      assertSafePrCheckout({
-        qualifiedRepository: BASE_QUALIFIED_REPO,
-        ref: '',
-        commit: PR_MERGE_SHA,
-        allowUnsafePrCheckout: false
-      })
-    ).toThrow(/allow-unsafe-pr-checkout/)
-  })
-
-  it('refuses pull_request_target fork PR ref pattern (head)', () => {
-    setContext('pull_request_target', forkPullRequestTargetPayload())
-    expect(() =>
-      assertSafePrCheckout({
-        qualifiedRepository: BASE_QUALIFIED_REPO,
-        ref: 'refs/pull/42/head',
-        commit: '',
-        allowUnsafePrCheckout: false
-      })
-    ).toThrow()
-  })
-
-  it('refuses pull_request_target fork PR ref pattern (merge)', () => {
-    setContext('pull_request_target', forkPullRequestTargetPayload())
-    expect(() =>
-      assertSafePrCheckout({
-        qualifiedRepository: BASE_QUALIFIED_REPO,
-        ref: 'refs/pull/42/merge',
-        commit: '',
-        allowUnsafePrCheckout: false
-      })
-    ).toThrow()
-  })
-
-  it('refuses pull_request_target when repository points at the fork', () => {
-    setContext('pull_request_target', forkPullRequestTargetPayload())
-    expect(() =>
-      assertSafePrCheckout({
-        qualifiedRepository: FORK_QUALIFIED_REPO,
-        ref: 'refs/heads/main',
-        commit: '',
-        allowUnsafePrCheckout: false
-      })
-    ).toThrow()
-  })
-
-  it('allows pull_request_target checkout of an unrelated third-party repo', () => {
-    setContext('pull_request_target', forkPullRequestTargetPayload())
-    expect(() =>
-      assertSafePrCheckout({
-        qualifiedRepository: 'some-other/unrelated',
-        ref: 'refs/heads/main',
-        commit: '',
-        allowUnsafePrCheckout: false
-      })
-    ).not.toThrow()
-  })
-
-  it('refuses pull_request_target ignoring repository case differences', () => {
-    setContext('pull_request_target', forkPullRequestTargetPayload())
-    expect(() =>
-      assertSafePrCheckout({
-        qualifiedRepository: FORK_QUALIFIED_REPO.toUpperCase(),
-        ref: '',
-        commit: '',
-        allowUnsafePrCheckout: false
-      })
-    ).toThrow()
-  })
-
-  it('refuses pull_request_target ignoring commit SHA case differences', () => {
-    setContext('pull_request_target', forkPullRequestTargetPayload())
-    expect(() =>
-      assertSafePrCheckout({
-        qualifiedRepository: BASE_QUALIFIED_REPO,
-        ref: '',
-        commit: PR_HEAD_SHA.toUpperCase(),
-        allowUnsafePrCheckout: false
-      })
-    ).toThrow()
-  })
-
-  it('allows pull_request_target fork PR checkout when opted in', () => {
-    setContext('pull_request_target', forkPullRequestTargetPayload())
-    expect(() =>
-      assertSafePrCheckout({
-        qualifiedRepository: BASE_QUALIFIED_REPO,
-        ref: 'refs/pull/42/merge',
-        commit: '',
-        allowUnsafePrCheckout: true
-      })
-    ).not.toThrow()
-  })
-
-  it('refuses workflow_run fork PR head_commit.id checkout', () => {
-    setContext('workflow_run', forkWorkflowRunPayload())
-    expect(() =>
-      assertSafePrCheckout({
-        qualifiedRepository: BASE_QUALIFIED_REPO,
-        ref: '',
-        commit: WORKFLOW_RUN_HEAD_COMMIT_SHA,
-        allowUnsafePrCheckout: false
-      })
-    ).toThrow()
-  })
-
-  it('refuses workflow_run with pull_request_target underlying event', () => {
-    const payload = forkWorkflowRunPayload() as {
-      workflow_run: {event: string}
-    }
-    payload.workflow_run.event = 'pull_request_target'
-    setContext('workflow_run', payload)
-    expect(() =>
-      assertSafePrCheckout({
-        qualifiedRepository: BASE_QUALIFIED_REPO,
-        ref: '',
-        commit: WORKFLOW_RUN_HEAD_COMMIT_SHA,
-        allowUnsafePrCheckout: false
-      })
-    ).toThrow()
-  })
-
-  it('allows workflow_run same-repo PR (head_repository.id matches base)', () => {
-    const payload = forkWorkflowRunPayload() as {
-      workflow_run: {head_repository: {id: number}}
-    }
-    payload.workflow_run.head_repository.id = BASE_REPO_ID
-    setContext('workflow_run', payload)
-    expect(() =>
-      assertSafePrCheckout({
-        qualifiedRepository: BASE_QUALIFIED_REPO,
-        ref: '',
-        commit: WORKFLOW_RUN_HEAD_COMMIT_SHA,
-        allowUnsafePrCheckout: false
-      })
-    ).not.toThrow()
-  })
-})

__test__/url-helper.test.ts

@@ -1,93 +0,0 @@
-import {jest, describe, it, expect, beforeEach, afterAll} from '@jest/globals'
-import * as urlHelper from '../src/url-helper.js'
-
-describe('getServerUrl tests', () => {
-  it('basics', async () => {
-    // Note that URL::toString will append a trailing / when passed just a domain name ...
-    expect(urlHelper.getServerUrl().toString()).toBe('https://github.com/')
-    expect(urlHelper.getServerUrl(' ').toString()).toBe('https://github.com/')
-    expect(urlHelper.getServerUrl('   ').toString()).toBe('https://github.com/')
-    expect(urlHelper.getServerUrl('http://contoso.com').toString()).toBe(
-      'http://contoso.com/'
-    )
-    expect(urlHelper.getServerUrl('https://contoso.com').toString()).toBe(
-      'https://contoso.com/'
-    )
-    expect(urlHelper.getServerUrl('https://contoso.com/').toString()).toBe(
-      'https://contoso.com/'
-    )
-
-    // ... but can't make that same assumption when passed an URL that includes some deeper path.
-    expect(urlHelper.getServerUrl('https://contoso.com/a/b').toString()).toBe(
-      'https://contoso.com/a/b'
-    )
-  })
-})
-
-describe('isGhes tests', () => {
-  const pristineEnv = process.env
-
-  beforeEach(() => {
-    jest.resetModules()
-    process.env = {...pristineEnv}
-  })
-
-  afterAll(() => {
-    process.env = pristineEnv
-  })
-
-  it('basics', async () => {
-    delete process.env['GITHUB_SERVER_URL']
-    expect(urlHelper.isGhes()).toBeFalsy()
-    expect(urlHelper.isGhes('https://github.com')).toBeFalsy()
-    expect(urlHelper.isGhes('https://contoso.ghe.com')).toBeFalsy()
-    expect(urlHelper.isGhes('https://test.github.localhost')).toBeFalsy()
-    expect(urlHelper.isGhes('https://src.onpremise.fabrikam.com')).toBeTruthy()
-  })
-
-  it('returns false when the GITHUB_SERVER_URL environment variable is not defined', async () => {
-    delete process.env['GITHUB_SERVER_URL']
-    expect(urlHelper.isGhes()).toBeFalsy()
-  })
-
-  it('returns false when the GITHUB_SERVER_URL environment variable is set to github.com', async () => {
-    process.env['GITHUB_SERVER_URL'] = 'https://github.com'
-    expect(urlHelper.isGhes()).toBeFalsy()
-  })
-
-  it('returns false when the GITHUB_SERVER_URL environment variable is set to a GitHub Enterprise Cloud-style URL', async () => {
-    process.env['GITHUB_SERVER_URL'] = 'https://contoso.ghe.com'
-    expect(urlHelper.isGhes()).toBeFalsy()
-  })
-
-  it('returns false when the GITHUB_SERVER_URL environment variable has a .localhost suffix', async () => {
-    process.env['GITHUB_SERVER_URL'] = 'https://mock-github.localhost'
-    expect(urlHelper.isGhes()).toBeFalsy()
-  })
-
-  it('returns true when the GITHUB_SERVER_URL environment variable is set to some other URL', async () => {
-    process.env['GITHUB_SERVER_URL'] = 'https://src.onpremise.fabrikam.com'
-    expect(urlHelper.isGhes()).toBeTruthy()
-  })
-})
-
-describe('getServerApiUrl tests', () => {
-  it('basics', async () => {
-    expect(urlHelper.getServerApiUrl()).toBe('https://api.github.com')
-    expect(urlHelper.getServerApiUrl('https://github.com')).toBe(
-      'https://api.github.com'
-    )
-    expect(urlHelper.getServerApiUrl('https://GitHub.com')).toBe(
-      'https://api.github.com'
-    )
-    expect(urlHelper.getServerApiUrl('https://contoso.ghe.com')).toBe(
-      'https://api.contoso.ghe.com'
-    )
-    expect(urlHelper.getServerApiUrl('https://fabrikam.GHE.COM')).toBe(
-      'https://api.fabrikam.ghe.com'
-    )
-    expect(
-      urlHelper.getServerApiUrl('https://src.onpremise.fabrikam.com')
-    ).toBe('https://src.onpremise.fabrikam.com/api/v3')
-  })
-})

__test__/verify-basic.sh

@@ -18,20 +18,6 @@ else
     exit 1
   fi
 
-  # Verify that sparse-checkout is disabled.
-  SPARSE_CHECKOUT_ENABLED=$(git -C ./basic config --local --get-all core.sparseCheckout)
-  if [ "$SPARSE_CHECKOUT_ENABLED" != "" ]; then
-    echo "Expected sparse-checkout to be disabled (discovered: $SPARSE_CHECKOUT_ENABLED)"
-    exit 1
-  fi
-
-  # Verify git configuration shows worktreeConfig is effectively disabled
-  WORKTREE_CONFIG_ENABLED=$(git -C ./basic config --local --get-all extensions.worktreeConfig)
-  if [[ "$WORKTREE_CONFIG_ENABLED" != "" ]]; then
-    echo "Expected extensions.worktreeConfig (boolean) to be disabled in git config.  This could be an artifact of sparse checkout functionality."
-    exit 1
-  fi
-
   # Verify auth token
   cd basic
   git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main

__test__/verify-fetch-filter.sh

@@ -1,16 +0,0 @@
-#!/bin/bash
-
-# Verify .git folder
-if [ ! -d "./fetch-filter/.git" ]; then
-  echo "Expected ./fetch-filter/.git folder to exist"
-  exit 1
-fi
-
-# Verify .git/config contains partialclonefilter
-
-CLONE_FILTER=$(git -C fetch-filter config --local --get remote.origin.partialclonefilter)
-
-if [ "$CLONE_FILTER" != "blob:none" ]; then
-  echo "Expected ./fetch-filter/.git/config to have 'remote.origin.partialclonefilter' set to 'blob:none'"
-  exit 1
-fi

__test__/verify-fetch-tags.sh

@@ -1,9 +0,0 @@
-#!/bin/sh
-
-# Verify tags were fetched
-TAG_COUNT=$(git -C ./fetch-tags-test tag | wc -l)
-if [ "$TAG_COUNT" -eq 0 ]; then
-    echo "Expected tags to be fetched, but found none"
-    exit 1
-fi
-echo "Found $TAG_COUNT tags"

__test__/verify-sparse-checkout-non-cone-mode.sh

@@ -1,51 +0,0 @@
-#!/bin/bash
-
-# Verify .git folder
-if [ ! -d "./sparse-checkout-non-cone-mode/.git" ]; then
-  echo "Expected ./sparse-checkout-non-cone-mode/.git folder to exist"
-  exit 1
-fi
-
-# Verify sparse-checkout (non-cone-mode)
-cd sparse-checkout-non-cone-mode
-
-ENABLED=$(git config --local --get-all core.sparseCheckout)
-
-if [ "$?" != "0" ]; then
-    echo "Failed to verify that sparse-checkout is enabled"
-    exit 1
-fi
-
-# Check that sparse-checkout is enabled
-if [ "$ENABLED" != "true" ]; then
-  echo "Expected sparse-checkout to be enabled (is: $ENABLED)"
-  exit 1
-fi
-
-SPARSE_CHECKOUT_FILE=$(git rev-parse --git-path info/sparse-checkout)
-
-if [ "$?" != "0" ]; then
-    echo "Failed to validate sparse-checkout"
-    exit 1
-fi
-
-# Check that sparse-checkout list is not empty
-if [ ! -f "$SPARSE_CHECKOUT_FILE" ]; then
-  echo "Expected sparse-checkout file to exist"
-  exit 1
-fi
-
-# Check that all folders from sparse-checkout exists
-for pattern in $(cat "$SPARSE_CHECKOUT_FILE")
-do
-  if [ ! -d "${pattern#/}" ]; then
-    echo "Expected directory '${pattern#/}' to exist"
-    exit 1
-  fi
-done
-
-# Verify that the root directory is not checked out
-if [ -f README.md ]; then
-  echo "Expected top-level files not to exist"
-  exit 1
-fi

__test__/verify-sparse-checkout.sh

@@ -1,63 +0,0 @@
-#!/bin/bash
-
-# Verify .git folder
-if [ ! -d "./sparse-checkout/.git" ]; then
-  echo "Expected ./sparse-checkout/.git folder to exist"
-  exit 1
-fi
-
-# Verify sparse-checkout
-cd sparse-checkout
-
-SPARSE=$(git sparse-checkout list)
-
-if [ "$?" != "0" ]; then
-    echo "Failed to validate sparse-checkout"
-    exit 1
-fi
-
-# Check that sparse-checkout list is not empty
-if [ -z "$SPARSE" ]; then
-  echo "Expected sparse-checkout list to not be empty"
-  exit 1
-fi
-
-# Check that all folders of the sparse checkout exist
-for pattern in $SPARSE
-do
-  if [ ! -d "$pattern" ]; then
-    echo "Expected directory '$pattern' to exist"
-    exit 1
-  fi
-done
-
-checkSparse () {
-  if [ ! -d "./$1" ]; then
-    echo "Expected directory '$1' to exist"
-    exit 1
-  fi
-
-  for file in $(git ls-tree -r --name-only HEAD $1)
-  do
-    if [ ! -f "$file" ]; then
-      echo "Expected file '$file' to exist"
-      exit 1
-    fi
-  done
-}
-
-# Check that all folders and their children have been checked out
-checkSparse __test__
-checkSparse .github
-checkSparse dist
-
-# Check that only sparse-checkout folders have been checked out
-for pattern in $(git ls-tree --name-only HEAD)
-do
-  if [ -d "$pattern" ]; then
-    if [[ "$pattern" != "__test__" && "$pattern" != ".github" && "$pattern" != "dist" ]]; then
-      echo "Expected directory '$pattern' to not exist"
-      exit 1
-    fi
-  fi
-done

__test__/verify-submodules-recursive.sh

@@ -17,7 +17,7 @@ fi
 
 echo "Testing persisted credential"
 pushd ./submodules-recursive/submodule-level-1/submodule-level-2
-git config --local --includes --name-only --get-regexp http.+extraheader && git fetch
+git config --local --name-only --get-regexp http.+extraheader && git fetch
 if [ "$?" != "0" ]; then
     echo "Failed to validate persisted credential"
     popd